At this time of year, the people of Iceland traditionally place their best shoes in their windows in the hope that the Yule Lads will leave gifts in them. But with a well-earned reputation for making mischief there's every chance that the gift a Yule Lad leaves won't be one that anyone would want! As we only want you to receive welcome gifts through your Windows, this blog is going to talk about the Windows 10 platform and what the NCSC has done to protect its devices from unwanted gifts of malware*.
You might recall that at the beginning of the year we wrote a series of blogs on the principles and decision process the NCSC took when building our IT system; we covered the architecture we used, the thought process behind choosing a mobile device management (MDM) product and the approach we took on networking in the cloud. This is the latest of that series, and if you missed any of those earlier ones they are worth a read.
First things first
Everything we do on our devices is documented in our end user device (EUD) guidance. In this blog I will be going over some key points on how we used that guidance to inform our decisions. We also use iOS devices for working on the move, but as we covered malware prevention for them in another blog, we won't be discussing them here.
Obviously, allowing users to run as administrators would undermine any security policy or enforcement you have put in place. By default Windows gives its users administrator access, and the traditional desktop apps (aka Win32 apps or legacy apps) have additional capabilities to access resources belonging to the operating system. So we turn that off. Our users do not have administrator access to their devices.
We also use our own recommended security baselines and Microsoft's enterprise baselines. Both of which come in a format that can easily be deployed across your existing infrastructure.
Controlling what can run
One of our key mitigations against malware is only allowing those programs to run which the administrators have permitted, forcing any malware to rely on vulnerabilities to be able to execute. And as I said above, the traditional Windows desktop apps have permissions to access vast amounts of system resources, increasing the attack surface and allowing potentially untrusted apps with privileged access to run on the platform. By enforcing the following, we ensure we control what can run:
- Application control – we have an approved list of apps users can download to their devices, this is currently supported by System Centre Configuration Manager (SCCM). We've looked at, and will soon be using, Windows Store for Business to allow for the more modern and secure Universal Windows Platform (UWP) apps and some trusted Line of Business apps.
- AppLocker – we have set AppLocker’s default rules (with some exceptions for EXEs, scripts, DLL and packaged app) and gained fine grain control of what can run on the device from the standard installation of Windows. The example rule set is in our Windows 10 guidance.
When we deploy new devices we download the base image directly from Microsoft, giving us confidence that the image is definitely clean and there are no surprises waiting. We're also exploring the possibility of using Signature Edition builds to achieve the same outcome.
We don't use any third-party antivirus on our Windows devices, but we do we use a range of tools from the "Windows Defender" suite to help us:
- Windows Defender Firewall – if malware finds its way onto your platform it will sometimes try and reach out to external servers to download additional malware and executable payloads on the device. We use this inbuilt firewall to prevent certain apps from communicating with hosts on the Internet or from spreading around the network using certain Windows services. This firewalling apps method can be adapted to allow certain apps to still communicate with internal resources.
- Windows Defender Antivirus – we believe this has the level of protection that we need and, as it comes as part of Windows, it is updated regularly and works with the Antimalware Scanning Interface (AMSI). We also use cloud-backed protections such as "Block At First Sight" and "Windows Defender SmartScreen". Mixing traditional antivirus with cloud-backed solutions sets a good level of protection on our end user devices against known malware and malware that's not been seen before.
- Windows Defender Credential Guard – we deploy this to help protect users' domain credentials, taking advantage of the way it works by isolating 'secrets' from all but the privileged system processes.
For our devices running Windows 10 1703 (and earlier) we have deployed the Enhanced Mitigation Experience Toolkit (EMET) because it offers further protection that isn't built in to the operating system (OS). It is especially useful for some of the traditional Win32 applications with their additional accesses. As EMET is being replaced mid-2018 we are about to run a small pilot of Windows 1709 Fall Creators Update where its replacement, Windows Defender Exploit Guard, is built in to the OS. We plan to release guidance on the Windows 1709 recommended configuration in early 2018.
Macros and scripts
Macros and scripts are another common way for malware to execute, so we control both Office macros and PowerShell on end user devices.
- We run the latest version of PowerShell and stop it launching earlier, less secure versions by removing version 2.x of the .NET framework.
- We enable logging through group policy.
- We set execution policy to only run signed trusted scripts.
And for macros:
- We only allow macros in trusted files.
- We don't allow them to connect to the Internet and we block anything that comes from the Internet.
- We stop them running by default.
For more detailed information on macros we have recently published security guidance.
Patch, patch, patch!
Malware will take advantage of weaknesses in apps or the OS, so one of the most important things we do for protection is patching to provide fixes and help reduce the likelihood of exploitation. We utilise Windows Update for Business to automate this process. For Windows 10, updates come in two forms - quality updates and feature updates;
- Quality updates are released monthly (normally on "Patch Tuesday") and include things like bug fixes, security improvements and driver updates.
- Feature updates are released every 6 months (in the Semi-Annual Channel) and are much larger than quality updates and, as the name suggests, include new OS features and bigger improvements.
Quality updates (including non-deferrable and emergency security patches) are downloaded and installed automatically each month or whenever available to our users' devices. As for feature updates, we always start by running a small pilot to validate that the apps, devices and infrastructure we use work well with the new release. We then gradually begin a broader deployment across the NCSC, and this can typically take a few months to complete.
Did I miss anything?
If you have any thoughts or feedback on the above, please use the blog comments below to get in touch or use Contact us.
Remember, keeping your Windows closed and secure will stop malware from peering through your windows and stealing your sausages.
EUD Security Research
*Yule forgive us for the tortuous windows/Windows/Christmas set up. It was fairy unlikely we'd get the opportunity to present that pun again. There was snow way we could ignore it, that would've sleighed us. It was practically gift-wrapped.