Dissecting Windows 10 Security
New features such as the Antimalware Scan Interface, Virtualization-Based Security and threat analytics are making Windows much more difficult to exploit, but hackers and researchers demonstrate it's still not impossible.
Every time Microsoft has released a new version of Windows over the past two decades, the company has raised the bar with improved security and each upgrade immediately becomes a target of hackers and cybercriminals looking to find new holes in the OS. Last year's Windows 10 release and the Anniversary Update release pushed out by Microsoft two months ago are no exception.
Microsoft has added some significant new security features to the Windows 10 Anniversary Update, code-named "Redstone," that experts and longtime critics admit are quite impressive. Overall, IT organizations will welcome these new security features, experts say. Given the Anniversary Update is the enterprise equivalent of a first service pack for Windows 10, though arguably with more features than typical service packs, enterprises are looking to roll out new systems or upgrade to the new OS in the coming year, according to a number of surveys, because most enterprises passed on Windows 8/8.1 and Windows 7 was released seven years ago. While organizations' PCs with Windows 10 will be more secure than systems with earlier versions, the OS still isn't impenetrable.
Key Security Enhancements
Security experts and analysts say the two most noteworthy security features in a laundry list of new capabilities are the new Antimalware Scan Interface (AMSI) APIs and a list of upgraded Virtualization-Based Security (VBS) features introduced in the OS last year. Still, also worth noting are the improved support for extended multi-factor authentication via the new Windows Hello biometric log-in capability, and the addition of Advanced Threat Protection (ATP) and Windows Information Protection to Windows Defender, which provides extended BitLocker encryption that reduces the risk of data leakage.
Just a week before Microsoft pushed out the update, researchers and the hacker community dissected the Windows 10 Anniversary Update at the annual Black Hat USA conference in Las Vegas. Multiple sessions were devoted to breaking down the latest version of Windows, both by Microsoft officials, security researchers and, of course, the hacker community.
IT professionals will come to their own conclusions about whether some of these new features provide breakthrough improvements in security or whether they're simply incremental updates.
Vulnerabilities Exposed by Black Hats
Despite Redmond's emphasis on addressing real-world vulnerabilities, less than two months following the release of the Anniversary Update, the number of exploits discovered in Windows 10 remains high. Some reports were not entirely accurate, critics note, such as problems related to the Secure Boot mode with so-called "golden keys" discovered in August. But it's clear many organizations remain exposed to zero-day threats, ransomware and other vulnerabilities. Granted, the rollout of Windows 10 among enterprises, no less the Anniversary Update, is still in its early stages.
It should be noted that the demos were showcased at the Black Hat Conference a week before the actual code was pushed out and Microsoft routinely roles out patches. Likewise, these are not easy targets by any stretch, experts say.
Exploiting AMSI Script Protection
Of the new security features, AMSI is arguably the most interesting of the new features in Windows: It's a set of APIs that can be deployed in Microsoft's own Windows Defender antimalware software to protect against script-based attacks by scanning files and other data in memory. The APIs also perform reputation tests of URLs and IT addresses. In addition to running them in Windows Defender, Microsoft is making the AMSI APIs available to third-party endpoint security software providers and to other applications. As of this writing, only AVG is offering it in its antimalware offering, others say they're still evaluating it and some don't want to comment at all (see a report on third-party AMSI support).
Nikhil Mittal, a self-proclaimed hacker, trainer and penetration tester, demonstrated some weaknesses in AMSI in a session at the Black Hat conference. AMSI is designed to intercept potentially malicious scripts in memory, as well as allow other applications designed to register and process content via the AMSI framework. The intent behind AMSI is to catch scripted threats regardless of input method or how well the threat is hidden, eliminating them before they can execute. AMSI tries to catch the scripts at the scripting host level as they're loaded from WMI namespaces, registry keys or event logs. Traditional disk-based detection is unable to catch such scripts as the storage is rather unusual and unable to be analyzed.
"What makes AMSI really special is its visibility into the system it's protecting," says Brad Bussie, CISSP, director of Product Management at STEALTHbits Technologies Inc., a supplier of security software. "Being able to look at WMI namespaces, registry keys and event logs -- all untraditional places that scripts can potentially run from -- gives AMSI insight into attacks that would otherwise go undetected."
Mittal demonstrated ways attackers could get around AMSI. Mittal organized his demonstrations of AMSI bypasses using Windows PowerShell as the source of the attack.
"PowerShell is the hottest threat vector area from a malicious shell perspective," Mittal explained. "It has a low rate of detection, the payloads are very effective, and Windows comes pre-loaded with PowerShell. The tool is also used by sys admins, which means activities performed using this tool could easily stay off the radar as it mixes with normal traffic."
Mitall presented the following AMSI exploit methods:
- Unusual Shell Execution
- Run without powershell.exe
- Utilize reflection (within the memory space of another process)
- Apply application whitelisting bypass (install and so on)
- Signature Bypass (This method is known as obfuscation, or the ability to render the script unclear or unintelligible to AMSI)
- Remove the help section
- Obfuscate the function and variable names (change names to numbers, for example)
- Use simple obfuscation tools that work
- Encode parts of the script
- Deliver the payload
"This method is fast and very effective at the time of this presentation," Mitall explained. AMSI flaws extend beyond the ability to bypass the system. AMSI can also be exploited by attackers that have elevated permissions to the Windows machine running AMSI. Mitall presented two options, referencing two separate researchers:
- Matt Graeber (@mattifestation) -- a one-line command; no admin privilege is necessary (client-side attacks are possible); also bypasses automatic logging
- Cornelis de Plaa (@Cneelis) -- moves powershell.exe to where the AMSI.dll is and executes it from there; loads a fake DLL (AMSI doesn't execute)
"With the necessary credentials in use and with one simple command, AMSI can be set from enabled to disabled without a single notification sent to a user or administrator," Bussie notes.
"Does this mean doom and gloom for the Red Team?" Mittal asked during his presentation, referring to Microsoft's internal teams that employ offense-based models to detect vulnerabilities (see "Microsoft's Security Posture: The Best Defense Is a Strong Offense"). Mittal cited the following steps:
- Use PowerShell v2 (which requires the Microsoft .NET Framework 3.0 and does not come with Windows 10)
- Significantly change the signature of your scripts, which is relatively easy to do
- Disable AMSI
- Backward compatibility is a huge deal for Microsoft -- you still see the .NET Framework 3.0 on Windows 10
As with most security systems, when automated detection and response processes aren't available (or possible) directly at the endpoint, some event correlation system -- and possibly even human intervention -- is necessary.
"Keep in mind, most of the attacks discussed do generate event logs," says Bussie. "This brings up a very important point about monitoring event logs when leveraging a service like AMSI. Administrators will want to make sure they log and alert on PowerShell events and look for signs of an attacker attempting to bypass logging. Remember, AMSI is only effective when paired with other security measures and should not be relied upon as a standalone component."
Cutting Through Virtualization-Based Security
AMSI is among the newest approaches by Microsoft to make Windows more secure. Another approache, introduced with last year's release of Windows 10, is VBS. VBS uses processor virtualization extensions to create a hardware-based security boundary between the sensitive Windows components and data and the rest of the OS. Built on and taking advantage of security capabilities found in Hyper-V -- such as Hypervisor Code Integrity (HVCI) and Local Security Authority (LSA) -- VBS in the Windows 10 Anniversary Update can create secure execution environments for sensitive Windows functions and data by isolating core OS services, thereby keeping user mode and kernel mode processes separate from each other.
In Windows 10, the Credential Guard feature leverages VBS to protect the domain credentials, users' credentials and the underlying Windows authentication subsystem. It does this by isolating a portion of the LSA service, thereby mitigating security risks associated with pass-the-hash and pass-the-ticket attacks. Rafal Wojtczuk, a security researcher at Bromium, demonstrated at Black Hat how Mimikatz -- a tool that allows bad actors to extract cleartext passwords and password hashes from memory -- would fail to execute on a system protected with Credential Guard. However, as Wojtczuk pointed out during his presentation, "even in the most hardened configuration, once an attacker has system privileges, they can silently authenticate as a logged-in user to remote servers from the compromised machine until reboot."
In this case, VBS utilizes Hypervisor Code Integrity (HVCI) to keep unauthorized apps from running in both user and kernel mode while also combatting successful exploitation of vulnerabilities. This is a significant improvement, given, as Wojtczuk points out the obvious, "attackers love arbitrary code running in ring0," which isn't possible with Kernel HVCI, according to Wojtczuk. Still, Device Guard and HVCI are not without flaws. Wojtczuk found that before the MS16-066 patch for Windows 10, bad actors could locate some pages with read/write/execute (RWX) permissions in ring0, giving them the ability to bypass HVCI.
"Device Guard is device-feature-dependent," says Bromium Founder and CTO Simon Crosby. "In particular, VBS requires Windows 10 Secure Boot, which is supported on all new PCs, but is not possible on older, BIOS-booted Windows endpoints that are upgraded to Windows 10. As a result, organizations will be unlikely to achieve enterprise-wide adoption of VBS in the near term."
Prominent information security strategist and professor Demetrios Lazarikos believes there's work to be done. "Given some of the recent ‘safe' boot compromise claims hitting media sites, I would also be concerned about the integrity of the data if the data were somehow manipulated or compromised prior to boot," says Lazarikos, who is currently chief information security officer at vArmour, a datacenter and cloud security provider.
Windows Defender ATP Service
There's no question that the Windows Defender ATP Service represents a step forward in bringing Windows Defender implementation and management into the enterprise. With its updated release in Windows 10, the service is now enabled by default.
However, "malware, rootkits and zero-day vulnerabilities still represent a significant challenge to any anti-virus or antimalware technology," says Bussie, adding that some protection is still better than no protection at all. But, "until perimeter firewalling, east-west firewalling and software firewalling are tied in with deep packet inspection, anti-virus will continue to be too late for targeted attacks."
Deepak Patel, director of Security Strategy for Web application firewall provider Imperva, argues that Windows Defender, or any other anti-virus software for that matter, will be unable to keep up with the constantly morphing malware. "There is enough evidence -- from reports like the Verizon Data Breach Investigations Report -- that shows most malware is only seen once in the wild," Patel says. "Also, it takes minimal effort to create new strains of malware with just enough variance to bypass [anti-virus] detection. This means threat intelligence and signature-based approaches to malware detection and containment can only stop known malware."
Because ATP is a cloud-based service, there are some questions surrounding how the protections would work (or not) when an ATP-protected system is offline.
"How will this service function when machines aren't connected?" Lazarikos asks. "Would it be possible to install or embed something that would ‘come alive' once it detected that the system wasn't connected, leaving it to operate in a vulnerable state?"
Again, some of the challenges with newer capabilities are that they aren't always backward-compatible, even if Microsoft does everything in its power to meet this challenge.
"I wish Microsoft had offered this as an enterprise offering for all Windows endpoints," says Crosby. "However, ATP is Windows 10-specific and requires that the customer is on an enterprise license under Software Assurance."
Windows Hello is Microsoft's approach to implementing multi-factor authentication as a replacement to passwords. Introduced last year with Windows 10, the core idea is that users can leverage facial recognition or fingerprint readers to log into their compatible Windows 10 device.
"Several of these pieces require specific hardware (cameras, chipsets), which will exist in newer systems, but not many legacy systems," says Eldon Sprickerhoff, founder and chief security strategist at eSentire Inc., a supplier of incident detection and response systems. "Unless the user experience is uniformly positive, it's not going to get significant traction."
Windows Hello isn't a Microsoft-only option. "What happens if and when other vendors create their own solutions?" asked Lazarikos. "Remember when Lenovo and Dell created their own biometrics systems -- which one would you choose if there were more than one option available?"
The challenges of adoption aren't limited to Windows machines, as clearly pointed out by Bromium's Crosby: "Windows Hello is a fantastic capability for local access to a device, but doesn't banish usernames and passwords altogether because users of Web services will still need to log in to those services in site-specific ways."
Perhaps the default choice is made for the enterprise, leaving the integration of these security systems up to the InfoSec practitioners to deal with. To help keep the UX and management consistent, Microsoft has made the authentication framework extensible, as can be found with Intel's Hello-enabled Authenticate Technology and emphasized by its involvement and support for the Fast IDentity Online (FIDO) Alliance. The Windows 10 Anniversary Update supports the new FIDO 2.0 spec, which Microsoft says sets the stage for Windows Hello to support industry standards and work across platforms and within heterogeneous environments, which the company says is "central to our strategy for Windows Hello."
The update to Windows Hello with the Windows 10 Anniversary Update also allows for per-application authorization based on facial or fingerprint recognition. This is great for defining fine-grained policies, but could also introduce additional challenges.
"The per-application approach is a great feature for those who are concerned that a user accessing applications might not actually be the same user that unlocked the workstation," adds Bussie. "However, systems are inherently flawed by believing that the logged-in user really is the user behind the keyboard. While this is a better approach to solving the problem beyond relying on easy-to-guess or -crack passwords, the OS is still potentially vulnerable to being fooled."
Windows Information Protection
Windows Information Protection is one part data at rest (Enterprise BitLocker) and three parts Data Protection (leak protection, sharing protection and data separation). The idea of building data loss prevention capabilities directly into the OS should prove great for system performance, widespread adoption and integration into core Windows applications.
While BitLocker should be essential in enterprise builds, it should be noted that a certain level of training is also needed for the users. David Kennefick, solutions architect at Dublin-based managed security services provider Edgescan, offers this useful tip: "If a user is told to shut down their machine when it's not in use or they don't have it on their person, this can severely hamper an attack attempt. If a user has just set their machine to sleep as opposed to shut-down, there is a potential for compromise if an attacker is able to access the memory of the machine while it sits in this state."
It may be a small window of vulnerability, but one that should be taken seriously as the encryption keys are stored in memory for use when the machine "wakes up." "It is also useful for organizations to know the state of a laptop if it has been lost or stolen," Kennefick adds. "If the laptop was shut down, it is less likely to be exploited compared to a laptop that has just been put in sleep mode."