The aim of this blog post is to explain what each Windows Defender mechanism is, what it does, and how it can be used to help you secure Windows 10 devices on your network. For specific configuration settings, we’ve provided links to the NCSC End User Device guidance, which provides suggested settings for securing Windows 10.
This blog post refers to the options available in Windows 10 1809, so if you’re using a different version, some settings may not be available. It’s also worth noting that most functionality will require compatible hardware, with support for Trusted Platform Module (TPM) 1.2 or greater, UEFI 2.3.1, Secure Boot and support for virtualization extensions such as Intel VT-X.
Windows Defender has several components:
- Windows Defender Antivirus (Pro + Enterprise)
- Windows Defender Firewall (Pro + Enterprise)
- Windows Defender Application Guard (Enterprise)
- Windows Defender Exploit Guard (Pro + Enterprise)
- Windows Defender Advanced Threat Protection (Enterprise)
- Windows Defender Application Control (Pro + Enterprise)
- Windows Defender System Guard (Pro + Enterprise)
- Windows Defender Credential Guard (Enterprise)
A full comparison of the features available in each version of Windows 10 can be found at https://www.microsoft.com/en-us/windowsforbusiness/compare.
The sections below provide more detailed information on each of these components.
Windows Defender Antivirus
Windows Defender Antivirus, previously known as “Windows Defender”, is the antivirus protection included with Windows 10. It provides the standard antivirus features, such as real-time protection against viruses and malware, as well as cloud-backed scanning and updating mechanisms.
Windows Defender Antivirus can be managed through:
- Group Policy
- SCCM (System Center Configuration Manager)
- Windows Management Instrumentation (WMI)
It’s worth noting however that a centralised console, such as would be found with other anti-virus software, is only available within SCCM or Intune, which is licensed separately. However, Windows can be configured to submit events to a centralised Security Information and Event Management (SIEM) solution, which could allow you to centrally monitor the status of Windows Defender Antivirus across your estate¹.
Windows Defender Antivirus will disable itself when another antivirus product is installed, if you would prefer to stick with an existing solution.
Windows Defender Firewall
Windows Defender Firewall is an updated version of the Windows Firewall, originally introduced in Windows XP. It supports filtering of inbound and outbound traffic, based on the network zone (which can be configured by administrators).
We recommend that you enable the firewall, and configure it with both inbound and outbound filtering that restricts access to systems and services that are required. For example, by only allowing installed web browsers to access the internet.
Windows Defender Application Guard
Windows Defender Application Guard allows untrusted websites to be accessed in an isolated instance of Microsoft Edge, running in a Hyper-V enabled container. This means that if the browser is compromised, an attacker would then need to conduct a virtual-machine escape in order to access information on the user’s device.
In order to use this, you will need a computer that supports virtualisation, and Microsoft recommends at least 8GB RAM².
The following diagram from Microsoft shows how Windows Defender Application Guard offers isolation of the Microsoft Edge process:
Figure 1 - Image courtesy of Microsoft
Windows Defender Application Guard only works with Edge, although if a user attempts to browse to an untrusted website in Internet Explorer, an Application Guard session will be launched to access that website. This means that Application Guard can’t be used with other browsers such as Chrome or Firefox; however the security benefits are likely to outweigh any usability benefits from the user’s perspective.
In order to get the most benefit from Application Guard, you will need to configure it in Enterprise Mode. With Enterprise Mode, you can configure which websites should be loaded in Application Guard, and which should be loaded in the regular Microsoft Edge environment. Information on the appropriate settings can be found at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard under the “Network Isolation Settings” heading.
You can also configure how restricted the Application Guard sandbox is, including restricting whether users can print Application Guard web pages, download files, or use the camera and microphone. The NCSC have published some recommended settings for these in their Windows 10 1809 End User Device Security Guidance; however these settings are likely to depend on your organisation’s risk appetite.
Windows Defender Device Guard
Since Windows 10 1709, Windows Defender Device Guard has been split into Windows Defender Exploit Guard, and Windows Defender application Control.
We have provided more information on those below.
Windows Defender Exploit Guard
Windows Defender Exploit Guard is a set of intrusion prevention mechanisms for Windows 10, which allow you to reduce the attack surface of applications used by users.
Exploit Guard has 4 features:
- Attack Surface Reduction Rules – contains mechanisms to stop common ways of loading malware onto end user devices, such as via malicious office macros sent in emails.
- Network Protection – provides scanning of network traffic for malware.
- Controlled Folder Access – detects and blocks changes to key files made by suspicious software, such as ransomware.
- Exploit Protection – a replacement for Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), with additional features. Implements measures to mitigate common exploits, such as data execution prevention (DEP) and memory allocation randomisation (ASLR).
More detailed information on these is provided below.
Attack Surface Reduction Rules
Attack Surface Reduction Rules can be configured to stop common ways of loading malware onto end user devices.
These can be configured to:
- Block executable content from Outlook and common webmail sites;
- Block common mechanisms used by malicious Office macros to load malicious code (creating child processes, creating executable content, injecting code into other processes or making Win32 API calls);
- Prevent Adobe Reader creating child processes, to mitigate attacks making use of malicious PDF files;
- Prevent scripts that appear to be obfuscated from executing;
- Require executable files to meet a defined prevalence, age, or be on a trusted list, in order to execute. This requires cloud-delivered protection in order to work;
- Block credential stealing attacks from the Windows Local Security Authority SubSystem (LSASS), to guard against tools such as mimikatz;
- Prevent WMI or PSExec commands being used to create new processes. Configuring this will stop SCCM working on user devices;
- Prevent untrusted and unsigned executables being run from USB devices; and
- Block executable files that closely resemble malware. This requires cloud-delivered protection in order to work.
Microsoft has provided more information on the various options, and NCSC have included recommended restrictions in their End User Device Security Guidance.
Network protection expands the scope of Windows Defender SmartScreen to block attempts to access possibly malicious websites from all browsers, by blocking all outbound HTTP and HTTPS traffic to domains with a low reputation. Cloud-delivered protection is required for this functionality to work.
Microsoft has provided more information on Network Protection at: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard
Controlled Folder Access
Controlled folder access helps protect data from ransomware and other malicious software. Any executable file (.exe, .dll, .scr, etc.) that attempts to make changes to files in a protected folder is assessed by Windows Defender Antivirus, and the actions are blocked if the executable is deemed to be suspicious or malicious.
You can configure any applications that should be allowed to access protected folders, and also add more folders to be protected by Controlled folder access. By default, system folders and the default user profile folders (such as Documents, Pictures, Movies, and Desktop) are protected. If you are using folder redirection, and want to protect user’s profile folders, the updated locations will need to be added to Controlled folder access.
Microsoft has provided more information on Controlled folder access at: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.
Exploit Protection builds on the functionality originally introduced with the Enhanced Mitigation Experience Toolkit (EMET) previously released by Microsoft.
Exploit Protection includes standard exploit mitigation measures, such as Data Execution Prevention (DEP), and Address Space Layout Randomisation (ASLR), as well as options to block other attack vectors, such as untrusted fonts, remote images and Win32k system calls.
Microsoft has now stopped supporting EMET, and recommend customers use the exploit protection mechanisms introduced in Windows 10. If you were previously using EMET, you can convert existing EMET policies into Exploit Protection.
Windows Defender Application Control
Windows Defender Application Control (WDAC) can be used to restrict what applications users can run, similar to AppLocker, and prior to that Software Restriction Policies. However, WDAC does not allow for policies to be applied to a particular user or security group, meaning that it is less flexible than AppLocker.
Microsoft suggest using both WDAC and AppLocker in tandem, with Application Control set to allow all software used by all users across your organisation, and then further restrictions implemented using AppLocker. For example, the use of PowerShell or Command Prompt are likely to be required by IT support staff, so will need to be allowed within WDAC; but are unlikely to be required by end users, so can be restricted using AppLocker for standard users.
More information on Windows Defender Application Control can be found on the Microsoft website.
Windows Defender System Guard
Windows Defender System Guard consolidates the various system integrity options within Windows 10 under one banner. It is designed to provide protection against bootkits and rootkits, as well as attacks targeting core system services or attempting to alter the integrity of the system.
System Guard offers virtualisation based security, which works by running a hypervisor on the device hardware, with the main Windows Operating System and Windows Defender System Guard containers in separate Hyper-V containers. It also offers and hypervisor protected code integrity, which only makes kernel memory pages executable after they have passed code integrity checks within the secure runtime environment. Executable pages are never writable.
The following diagram from Microsoft illustrates how virtualisation based security works:
Figure 2 - Image courtesy of Microsoft
Microsoft has also introduced runtime attestation within Windows Defender System Guard, which provides validation that the system has not been tampered with. This includes validation of the boot state of the machine, ensuring that the device booted with secure boot enabled, and that operating system, hypervisor and secure kernel binaries are signed by Microsoft and securely configured. It also verifies the integrity of the virtualisation based security enclave. Software, such as AntiVirus, can request a runtime report, providing assurance that the device has not been tampered with.
For clean installs of Windows 10, hypervisor protected code integrity and elements of virtualisation based security, will be enabled by default on devices that meet the hardware and firmware requirements. For existing Windows 10 installations, we recommend you enable this feature where possible, after extensive testing to ensure there are no compatibility issues with any device drivers you may be using.
More information on Windows Defender System Guard can be found at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows
Windows Defender Advanced Threat Protection
Windows Defender Advanced Threat Protection (ATP) is a cloud-based tool to assist in the detection of an intrusion after it has occurred. To use it, you will need a Windows 10 Enterprise E5, Windows 10 Education E5, or Microsoft 365 E5 subscription for each device.
Advanced threat protection makes extensive use of the functionality outlined in this blog post, branded as “Attack surface reduction” and “Next generation protection”. It adds a security operations dashboard, queues for incidents and alerts, as well as automated investigation and remediation options. If you’re using Azure Active Directory, information from Advanced Threat Protection can feed into Conditional Access, to prevent insecure devices accessing resources. Windows Defender ATP also integrates well with Office 365 ATP if you’re using that.
As you can see, Microsoft has introduced a lot of functionality to help improve the security posture of Windows 10, and this is likely to continue with each new release of Windows 10.
Quite a lot of these features are only present in the Enterprise edition, so we’d recommend you choose Windows 10 Enterprise as part of your volume licensing agreement, at either the E3 or E5 level.
Some of the features require the use of Microsoft’s cloud, so whether you use these will depend on the configuration and risk appetite of your particular environment.