Security Analysis of Windows Operating System

Windows 10 is one of, if not the most commonly used operating systems by the general public. It’s versatile and easy to use, and comes with a plethora of features, and this extends to its security as well. Windows has a multitude of security features built into the operating system to help protect user data and keep one’s computer clean. The primary program responsible for this, Windows Defender, is made up of many smaller features, which will be the primary focus of this paper. There are six primary security features to go over; the Windows Defender Application Guard, the Windows Defender Exploit Guard, the Windows Defender Credential Guard, the Windows Defender Smart Screen, the Microsoft Bitlocker, and User Account Control.

The Windows Defender Application Guard is “designed to help prevent old and newly emerging attacks to help keep employees productive.” (Windows Defender Application Guard Overview, 2019). Essentially, this means that as an administrator, you can choose what sources are to be trusted, and which ones are not. This allows the host PC to be protected from malicious sites trying to gain access to data, as, even if a user accesses an untrusted site, Application Guard will ensure that the attacker is unable to access important data, as the computer opens the site in an isolated container separate from the operating system itself. One important caveat to this, however, is that this feature is built into Windows’ default browser, Microsoft Edge. Browser extensions exist for other browsers such as Google Chrome and Firefox, but this is only implemented by default in Microsoft Edge.

 The Windows Defender Exploit Guardworks very differently than the Windows Defender Application Guard, despite the similar name. This security feature exists to reduce the number of openings attackers have to extract or enter any data into the system. It does this through the help of four specific features, all of which combine to create the security feature that is the Windows Defender Exploit Guard.

The first feature is Exploit protectionwhich “can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps.” (Windows Defender Exploit Guard, 2018) Exploit protection works exactly as one may expect from the title; it exists to mitigate the threat of exploits from attackers and ensures that any app running has some sort of protection to malicious attackers.

The next feature, Attack surface reduction rules,can “reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office, script, and mail-based malware.” (Windows Defender Exploit Guard, 2018) Essentially, this security feature ensures that openings for malicious attackers to attack the system are reduced, covering up holes the system may otherwise have.

Next, Network Protection“extends the malware and social engineering protection offered by Windows Defender SmartScreen in Microsoft Edge to cover network traffic and connectivity on your organization’s devices.” (Windows Defender Exploit Guard, 2018) This is an extension of another security feature, Windows Defender SmartScreen, which will be discussed later. It offers the same protection as SmartScreen does, but over the device’s networks.

Last, Controlled Folder Access“helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware.” (Windows Defender Exploit Guard, 2018) This feature covers one of the few critical areas that the others have not, ensuring that the system’s files cannot be tampered with. With these four features, the Windows Defender Exploit Guard offers a variety of handy defenses to various openings in the operating system.

While the Windows Defender Application Guard existed to protect the system from untrusted sources, and the Windows Defender Exploit Guard was made to protect the system from potential exploits, the Windows Defender Credential Guardexists “to isolate secrets so that only privileged system software can access them.” (Protect derived domain credentials with Windows Defender Credential Guard, 2017) The Windows Defender Credential Guard uses three features to do this. Hardware securitytakes advantage of security features present on the system such as Secure Boot to keep user credentials safe. Virtualization-based security uses hardware features to make a secure area of memory, separate from the operating system, which can them be used to execute security solutions and keep them safe from any and all attacks in the operating system which would otherwise not allow the security process to execute. Lastly, the system has protection against more advanced, persistent threats, by ensuring that malware in the operating system cannot access virtualization-based security memory, even if that malware has obtained administrative privileges. Of course, this defense does not serve as an end-all-be-all, but it does serve as an extra layer of defense to ensure that security solutions can be executed and used.

The fourth security feature, the Windows Defender SmartScreen, is one that was mentioned prior when discussing the Network protection segment of Windows Defender Exploit Guard. So, what does it do? Well, the Windows Defender SmartScreen works to protect users in case they “try to visit sites previously reported as phishing or malware websites” (Windows Defender SmartScreen, 2017), and to protect the user if they try to download files that seem risky.

These are fantastic features for security purposes, but one may wonder, how does SmartScreen determine if a site or file is malicious? Well, in order to determine if a site is malicious, the SmartScreen’s main method of doing so consists of it analyzing visited webpages, looking for any suspicious behavior. If it finds anything, it notifies the user and tells them to be careful. In addition, SmartScreen also checks sites against a list of reporting phishing sites. If it finds a match, then it notifies the user. For downloaded files, it follows a similar protocol; SmartScreen checks downloaded files and compares them to a list of reported malicious sites and programs, and if it finds a match, it notifies the user. However, it also checks any and all downloaded files against a list of well-known files that have been downloaded by many Windows users, and if the file isn’t on that list, then SmartScreen notifies the user as well. Because of this, oftentimes harmless files can be flagged simply because they haven’t been downloaded by many Windows users, but this feature can help to sniff out any fake files appearing to be a credible source.

So, what benefits does SmartScreen provide? Well, there are a few major ones. For starters, SmartScreen is very clearly made to help fight against phishing and malware. Its entire purpose is to identify these problems for the user and to let them know so that they don’t fall prey to an attacker. However, this is far from the only purpose of SmartScreen; it also develops a reputation system for websites and apps. Since one of SmartScreen’s methods of finding malware and phishing is by comparing websites and files to a list of malicious sites and files, it develops a reputation system and reduces traffic that would otherwise be visiting these sites or downloading these files. In addition, unlike some of the other security features mentioned prior, SmartScreen is directly integrated into Windows 10’s operating system, meaning that even if one were to use a different browser such as Google Chrome, SmartScreen would still check every site and file the user uses.

Another security feature in Windows 10 is the Microsoft BitLocker, which serves as a method to encrypt local user data using the AES encryption algorithm. This helps to protect device data from offline hardware attacks; if a device is locked with a pin, this lack of access in addition to the encryption BitLocker provides makes it much more difficult for an attacker to get any information from the device, as the main operating system and internal data are all encrypted. This means that even if an attacker breaks in, the data will be completely indecipherable. This feature is especially useful for users while they travel; belongings can be easily lost or stolen, and without some level of encryption, the data would be easy to obtain. This feature is also easy to implement; most users likely doesn’t even know that it’s in use because as of Windows 10, this feature now comes as a standard feature directly out of the box, encrypting the user’s data quickly and seamlessly from the moment they boot their computer. (Overview of BitLocker Device Encryption in Windows 10, 2019)

Encryption is, of course, very important, and BitLocker is not always the only option built into Windows. It’s the only option built into Windows 10 normally, but in the Professional and Enterprise versions of Windows 10, there is a second encryption feature available. This feature is known as the Encrypting File System. It works similarly to BitLocker, but with a couple key differences.

So, what are these differences? Well, a key distinction of BitLocker is that it’s a full-disk encryption. It encrypts a full volume, one at a time, covering every single file available. BitLocker can be used to only encrypt a few files, but this is cumbersome and requires extra work by manipulating what BitLocker sees as an entire volume. This is a notable limitation of the software, and while it isn’t a negative limitation, it’s one that exists nevertheless.

The Encrypting File System (or EFS for short) works differently, however. This software is notable for having a more specialized purpose; instead of encrypting the entire drive, EFS is used to encrypt individual files. BitLocker just encrypts everything automatically, but EFS requires manual input from the user, deciding what files they want encrypted. This process is more time-consuming than just using BitLocker, but if there was ever a reason one would want individual files to be encrypted, the option exists. It’s an antiquated feature that was removed from normal commercial versions of Windows for good reason; Bitlocker was introduced with Windows Vista, but EFS was introduced in Windows 2000. (Hoffman, 2015) As a result, while there really isn’t any feasible reason to use EFS, it is another security feature that exists nevertheless.

The final security feature of Windows 10 I’d like to discuss is User Account Control, or UAC for short. This is a key concept of Microsoft’s security, which helps to mitigate how much damage malware can do. The quote below from the Windows IT Pro Center explains how it works:

“Each app that requires the administrator access token must prompt for consent. The one exception is the relationship that exists between parent and child processes. Child processes inherit the user’s access token from the parent process. Both the parent and child processes, however, must have the same integrity level. Windows 10 protects processes by marking their integrity levels. Integrity levels are measurements of trust. A “high” integrity application is one that performs tasks that modify system data, such as a disk partitioning application, while a “low” integrity application is one that performs tasks that could potentially compromise the operating system, such as a Web browser. Apps with lower integrity levels cannot modify data in applications with higher integrity levels. When a standard user attempts to run an app that requires an administrator access token, UAC requires that the user provide valid administrator credentials.” (How User Account Control Works, 2018)

In short, this ensures that apps with low integrity levels (such as a web browser, which does not modify system data, compared to something like a disk partitioning application which can and is considered a high integrity application) cannot alter data in applications with higher integrity levels. If it were able to, then a low integrity application would have the power to alter system data which is completely unacceptable, as it would allow a malware exploit that takes control of something like a web browser to directly alter the computer’s system files, stealing any and all personal information inside and potentially compromising the computer’s usage completely.

In conclusion, Windows has a large variety of security features at its disposal. Many of these are, unfortunately, not particularly effective, as any malware that is unable to break through the initial defenses of a windows OS is by extension unable to break through any windows computers at all. As a result, keeping any exploits for this system up to date would be a high priority, but Windows is also working to patch up holes in the security as well. In the meantime, it’s best to have some other form of security installed onto your computer to supplement Windows’ built in features, and with the continued rise of the internet, this will only become more critical with time.

Works Cited

• Hoffman, C. (2015, December 22). What’s the Difference Between BitLocker and EFS (Encrypting File System) on Windows? Retrieved from How To Geek: https://www.howtogeek.com/236719/whats-the-difference-between-bitlocker-and-efs-encrypting-file-system-on-windows/
• How User Account Control Works. (2018, November 15). Retrieved from Windows IT Pro Center: https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
• Overview of BitLocker Device Encryption in Windows 10. (2019, February 27). Retrieved from Windows IT Pro Center: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10
• Protect derived domain credentials with Windows Defender Credential Guard. (2017, August 16). Retrieved from Windows IT Pro Center: https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard
• Windows Defender Application Guard Overview. (2019, March 27). Retrieved from Windows IT Pro Center: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview
• Windows Defender Exploit Guard. (2018, August 08). Retrieved from Windows IT Pro Center: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard
• Windows Defender SmartScreen. (2017, July 26). Retrieved from Windows IT Pro Center: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview