Windows Defender Exploit Guard: native EMET in Windows 10
Microsoft revealed new security features of the upcoming Windows 10 Fall Creators Update yesterday to improve Windows 10 device security.
The company revealed a new set of tools, all build around Windows Defender Advanced Threat Protection: Windows Defender Exploit Guard, Windows Defender Application Guard, and improvements to Windows Defender Device Guard and Windows Defender Antivirus Protection.
Note: It is unclear right now if any of the new features will be made available to consumer machines running the Windows 10 Fall Creators Update, or if they are all reserved to the Volume Licensing offers Windows 10 Enterprise E5, Windows 10 Education E5, or Secure Productive Enterprise E5 as referenced on the Windows Defender Advanced Threat Protection system requirements page. The articles are clearly aimed at a business audience.
EMET's development was put on ice by Microsoft, with the company claiming that Windows 10 made EMET something that users of the operating system would not need anymore. This was rebuked, but it did not stop Microsoft from announcing July 2018 as the month in which support for EMET would be dropped.
Windows Defender Exploit Guard
Microsoft built some Exploit Mitigation Experience Toolkit protections into Windows 10 natively already. Windows Defender Exploit Guard is a native implementation of EMET that has been improved by Microsoft to include new vulnerability mitigations that are not part of EMET.
Exploit Guard furthermore uses intelligence from ISG for intrusion rules and policies.
Using intelligence from the Microsoft Intelligent Security Graph (ISG), Exploit Guard comes with a rich set of intrusion rules and policies to protect organizations from advanced threats, including zero day exploits.
Microsoft confirms that companies will be able to apply vulnerability mitigations to classic Win32 applications on Windows 10, just like it has been the case with EMET. Additionally, capabilities are added to block websites that host known malicious code automatically.
With the addition of EMET technology, companies will be able to apply advanced vulnerability mitigations on legacy apps running on Windows 10 without the need to recompile them. Another powerful Windows Defender Exploit Guard capability will allow automatic blocking of websites known to host malicious code, by leveraging Windows Defender SmartScreen knowledge base.
Windows Defender Application Guard
Microsoft announced Windows Defender Application Guard for Microsoft Edge back in September 2016. The company planned to integrate it in the Creators Update, but did not go through with the plan at that time.
Application Guard is a virtualization technology designed to "stop attackers from establishing a foothold on the local machine or from expanding out into the rest of the corporate network".
Basically, what Application Guard does is distinguish between a set of trusted resources and anything else that is opened in Edge. Trusted resources work like they have done before; untrusted resources on the other hand have Application Guard create a new "instance of Windows" with a copy of the kernel and minimum Windows Platform Service to run Microsoft Edge.
Application Guard blocks access to memory, local storage, installed applications, corporate network endpoints, and other resources according to Microsoft. This means as well that this virtual copy of Windows has no access to credentials or user data.
Microsoft notes that untrusted sites that are not malicious will work for the most part just like users would expect them to work. Users may print sites, use the clipboard for copy and paste operations, and perform many of the other operations that are commonly executed.
Administrators may restrict some of the functionality however.
Other security changes
Microsoft plans to integrate Windows Defender Device Guard into Windows Defender ATP to improve manageability and control.
Device Guard offers a set of features designed to protect against common threats such as exposure to new malware or unsigned code. Administrators may set up a list of whitelisted software that is allowed to run, or use code integrity policies to block unsigned code execution.
Windows Defender Antivirus and Windows Defender ATP uses new intelligence in combination with data science and machine learning according to Microsoft that improves the protection of Windows 10 devices.
Microsoft plans to add new Security Analytics capabilities for administrators on top of that in the Fall Creators Update.
Here is a promotional video that Microsoft published that provides explanation of the new features in less than 5 minutes.
Microsoft plans to introduce several new security technologies in the Windows 10 Fall Creators Update. I'm most excited about the native integration of EMET and Application Guard, and hope that these will become available for all users of Windows 10 and not just Enterprise customers.
Now You: What's your take on these new features?Advertisement