Windows 10 Threat Mitigation advancements

The new Windows as a Service model of Microsoft has helped Microsoft implement new threat mitigations and protection against threats faster than in the previous model that saw new releases happen every three years.

Windows as a Service evolves the operating system constantly, or more precisely, twice a year with feature updates around March and September of each year.

A new blog post on Technet compares the old release model to the new in regards to threat mitigation, and highlights improvements and advancements that Microsoft made since the release of Windows 10.

Windows 10 Threat Mitigation advancements

windows 10 threat mitigation

The author compares exploitation a decade ago to exploitation techniques that are used today. Microsoft’s take away from that was that the faster release of Windows 10 feature updates would reduce the impact that new exploitation techniques had on the Windows population.

The graphic that you see above shows new threat mitigation techniques that Microsoft added to the first four versions of Windows 10.

The blog article highlights important mitigations afterwards:

  • User Mode Font Driver (UMFD) — A feature implemented in the original release version of Windows 10. It moved font processing into an App Container in user mode. Additionally, administrators may disable the processing of untrusted fonts for a process using the Process Font Disable policy. (see Block programs from loading untrusted fonts in Windows 10)
  • Win32k Syscall Filtering — The Win32k subystem is the number one target to escape the sandbox because of its large attack surface and its 1200 APIs. The feature limits the list if APIs that can be targeted.
  • Less Privileged App Container (LPAC) — LPAC is a restricted version of App Container that denies access by default.
  • Structured Exception Handling Overwrite Protection (SEHOP) — Designed to block exploit techniques that use the Structured Exception Handler (SEH) overwrite technique.
  • Address Space Layout Randomization (ASLR) — This technique loads dynamic link libraries into random memory address space to mitigate attacks that target specific memory locations.
  • Heap protections — Windows 10 protects the heap in various ways, for instance by using heap metadata hardening, and through heap guard pages.
  • Kernel pool protections — Protects the memory that is used by the kernel.
  • Control Flow Guard — Needs to be compiled into software programs. Microsoft added this to Edge, Internet Explorer 11 and other Windows 10 features. Control Flow Guard detects if an attack changes the “intended flow of code”.
  • Protected Processes — Protected processes are important or system critical processes. Windows 10 prevents untrusted processes from tampering with protected processes. In Windows 10, security applications may be put into the protected process space.
  • Universal Windows apps protections — Windows Store apps — UWP and converted Win32 programs — are vetted before they are made available.
  • No Child Proc — Designed to block code execution by launching child processes.

Microsoft mentions the main objectives when implementing threat mitigations into Windows 10 afterwards:

Reducing the attack surface of Windows Platform
Takes soft target out of the picture
Eliminates existing exploitation techniques so that new techniques need to be found.
Reducing impact of vulnerability by isolation.
Make overall exploitation harder and expensive

Closing Words

Windows as a Service guarantees faster deployment of exploit mitigation techniques according to Microsoft. While that is probably true for some techniques, others may have also been added to previous versions of Windows as updates.

Now Read: Windows Defender Exploit Guard – Native EMET in Windows 10 (via Born)


Article Name

Windows 10 Threat Mitigation advancements


An overview of Windows 10’s Windows as a Service threat mitigation model, important anti-exploit techniques, and a comparison to the old system.


Martin Brinkmann


Ghacks Technology News


About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand.You can follow Martin on Facebook, Twitter or Google+

Powered by WPeMatico