I stated in the previous chapter that there are two main things that you can do, as an IT professional, to defend your systems against malware. One is to make it as difficult as possible for users to install malware on your systems or to transfer malware-infected files onto your storage servers. This is achieved by using a combination of technologies, processes, and strategies that together can make malware infection difficult.
The other is to train staff in the different types of malware threat, how they are spread, how to spot them, and what it is and isn’t safe to click and permit. This is called security awareness , and it should be a staple of all training for employees in any business or organization.
It’s not always possible, however, to block users from performing actions such as installing software, and it certainly isn’t possible to prevent users from moving files around, saving them from e-mails and copying them from and to USB flash drives . This is where configuring good preventative measures on your PCs becomes essential, as the PC itself then becomes the first line of defense against any malware.
Microsoft Windows comes with a multitude of tools for defending against malware, though the features on offer do vary from one version of Windows to another, with, as you might guess, the best suite of security tools available in the most modern version of the OS. I want to look at each of these tools in turn, but first I’ll detail just what you can find in each different OS version (Table 2-1).
Table 2-1. Security Features Available by Windows Version
Tool | Windows 7 | Windows 8.1 | Windows 10 |
|---|---|---|---|
Security Center | X | X | X |
Windows Defender | Download | X | X |
Windows Defender Offline | Download | Download | X |
Windows Firewall | X | X | X |
Windows Firewall with Advanced Security | X | X | X |
User Account Control | X | X | X |
SmartScreen | X | X | |
Malicious Software Removal Tool | Option | Option | X |
Secure Boot | X | X | |
Trusted Boot | X | X | |
App Containers | Limited | X | |
Early Launch Anti-Malware | X | X | |
Mandatory Security Updates | Option | Option | X |
Organizational-Level Security
Before I jump into detailing the security tools and features of the Windows OS itself, it’s important to discuss malware prevention on an organizational level. This includes the strategic plan for how all aspects of a business or organization handles security. The considerations that have to be made include the operational, tactical, and strategic security activities that will affect every PC, server, network system, and mobile device in the organization, as well as how bring your own device (BYOD) and guest devices are treated.
Additionally, these security strategies cover the rules governing how data is guarded and transferred across and outside the company network. You may, for example, have a policy that no company files should be transferable to a removable storage device, such as a USB flash drive, DVD, or guest laptop.
Staff security awareness training is also an essential component in an organizational security strategy, as the people using the computers in any business or workplace are always the weak link where security is concerned.
Having an organization-wide security strategy can assist considerably in the prevention of malware, because, let’s not forget, in the age of the Internet, there really is no such thing as a stand-alone PC or isolated network anymore.
Core Microsoft Security Features
The security features in different Windows versions fall into different categories, depending on the type of support and security they offer. At the forefront of this are core features that exist across all supported versions of the OS. The Microsoft security web page, accessible at http://pcs.tv/2iCD4pF , contains up-to-date information on threats, prevention, and defense, as well as information on subjects such as legal compliance, transparency, and privacy.
Security Center/Security and Maintenance
The Security Center, called Security and Maintenancein Windows 10, is most prominent in Windows versions 7 and 8.1, where it sits in the system tray behind a little white flag (the irony of which has never been lost on me). It’s the Security Center that will automatically, and periodically, check for problems with Windows Update and the network, firewall, and troubleshooting settings, and report to you if a problem is found.
It is designed as a central location for getting information about the status of the security on your PC (see Figure 2-1). There are collapsible panels for Security and Maintenance, and alerts are highlighted with traffic light colors, including green when everything is fine, amber if you should be aware of something that isn’t urgent, and red for a critical alert, such as Windows Update or your antivirus updates being out of date.
Figure 2-1. The Windows Security Center
User Account Control
User Account Control (UAC) is a security subsystem that acts as the first line of defense against any malicious software installations and unwanted OS system changes. It is accessed through the Security Center or by searching for “UAC” in the Start menu. Any user wanting to change UAC settings will first have to have administrative permissions on the PC.
The feature displays an alert dialog in the secure Windows environment that’s used to display the sign-in dialog. In this special environment, nothing can be done with the OS except interact with the single dialog that’s displayed, and only the user can do that, as all background processes are suspended. This means that malware cannot hijack the screen and click through the prompt itself.
There are four separate settings for UAC (see Figure 2-2) that begin at Never notify, which will turn UAC off completely, through to Always notify, which I like to call “Annoying Mode.” The default setting for UAC will notify you when changes are being made to the PC that will affect all or other users on the machine (whether there are additional user accounts or not), which include disabling features, installing an app, and accessing a core system folder, but not changes that would only affect your own account, such as modifying your language settings or setting the correct time. I’ll cover UAC in more detail in Chapter 3.
Figure 2-2. UAC has four different settings
Windows Firewall/Advanced Firewall
Windows comes with two different firewall interfaces: the default firewall and the advanced firewall. I won’t go into these in too much detail here, as I’ll discuss them in depth in Chapter 3, but the firewall Microsoft supplies is extremely effective.
The advanced firewall offers IT pros and advanced users the ability to control the firewall on a port, app, or service level, ensuring that users can gain access to critical business systems, such as network shares, while maintaining high levels of security.
Many companies and organizations still choose to replace the default Windows firewall with a third-party solution. This is because third-party products can be more flexible, powerful, and more frequently updated than the Microsoft-provided solution.
Malicious Software Removal Tool
The Malicious Software Removal Tool is delivered monthly as part of Windows Update, but you can also download it manually from http://pcs.tv/2c7CUXn , if you suspect you have malware on your PC.
You can think of this tool as an extra, offline antivirus package that will check your PC for the current major malware threats and assist in removing them, if any exist.
I list this as being optional for Windows 7 and Windows 8.1, because it’s only with Windows 10 that security and stability updates are mandatory in Windows Update and cannot be disabled.
Windows Update
Speaking of Windows Update, which makes for a nice segue, this is the feature of Windows that keeps the OS up to date with the latest security, stability, and feature updates.
Windows Update should not be disabled on Windows 7 and 8.1 systems, as not having a machine that’s fully patched and up to date poses a significant security risk in itself.
You’ll no doubt be familiar with Windows Update and know that you can choose when to install updates, hide them, and schedule when updates are downloaded and at what time of the day, if at all, and your PC restarts.
With Windows 10 , everything is different. You cannot block, or hide, any security or stability updates for the OS at all. Not even a system administrator has those rights any more. A tool does exist to hide updates on a per-PC basis, and you can download it from http://pcs.tv/2cWj9BP , but this can only be done retrospectively, after an update has already been installed and then removed from the OS.
Two business branches exist in Windows 10 that permit deferment of feature updates, by which Microsoft means new features and upgrades to the OS. The Current Branch for Business (CBB) is available in all installations of Windows 10 Pro (see Figure 2-3). Checking this option will defer feature updates for a period of a few months. In fact, Microsoft doesn’t say how long the deferment is for, but the general thinking is that it is around three months.
Figure 2-3. CBB permits deferment of feature updates in Windows 10 Pro
The other business branch is called Long Term Servicing Branch (LTSB), and this is available only on Windows 10 Enterprise editions. Activating LTSB will defer feature updates for ten years, which Microsoft says is the expected lifetime of an average PC.
As I mentioned earlier , however, neither of these branches will block any security or stability updates from being installed in any edition of Windows 10.
Windows Startup Security
In Chapter 1, I discussed the dangers of rootkit infections on PCs and how an Intel-developed technology is mandatory on all PCs sold with Windows 8.1 or later versions. There is, in fact, a series of technologies available in Windows 8.1 and Windows 10 (not Windows 7) that helps guard against boot sector malware.
BitLocker Encryption
It’s worth beginning this section by noting that encrypting the hard disk(s) on a PC through use of a security feature such as BitLocker , which is provided with every Pro and Enterprise edition of Windows, can help secure a PC from attack. This is because encrypted drives are kept locked and secure, until the user password is entered at the sign-in screen.
A BitLocker-encrypted PC in which the user is signed out is much more secure from malware, rootkits, and theft than one that is not encrypted.
Secure Boot
First developed by Intel, Secure Boot performs two tasks when a PC is switched on and before the OS loads. First, it verifies that the motherboard firmware is digitally signed, which helps reduce the risk of rootkits, which will modify the firmware and, thus, corrupt the signature.
Secure Boot then queries the digital signature of the OS in the bootloader to see if it matches a cryptographic signature that’s stored within the UEFI firmware. If both signatures match, the OS is permitted to load. If they don’t, Secure Boot concludes that the bootloader has been tampered with and will prevent the OS from starting.
This isn’t always good news , however. I’ve previously mentioned that Windows 7 does not support Secure Boot, nor can it store its cryptographic signature in the PC’s firmware when it’s installed. Many Linux distros don’t support Secure Boot either, though the most common distros do, and information is available on their web sites. Having Secure Boot enabled means that an OS that doesn’t have a valid cryptographic signature will not be permitted to boot.
There are ways around this. Some UEFI systems will allow you to register a bootloader as “safe,” while you can also disable Secure Boot on some, but not all, UEFI systems. If you plan to install an OS that does not support UEFI on a new PC, it’s worth checking the firmware, or the motherboard manual, before you purchase the PC, to see if Secure Boot can be switched off, or if it will allow you to add non-signed operating systems.
Trusted Boot
Another feature exclusive to Windows 8.1 and Windows 10, Trusted Boot takes over once the OS begins to load. This system checks the OS kernel and all other OS components, such as drivers, start-up files, Early Launch Anti-Malware (more on that in a minute), and all other Windows components, to see if any has been modified.
If it finds that a component has been modified, it will refuse to load that component. Windows has an automatic feature that will then run in the background and attempt to repair the damaged or modified component.
Early Launch Anti-Malware
One of the problems with security in legacy versions of Windows was that malware could often load before users’ antivirus software, and, thus, it could interfere with that software and prevent detection or removal of itself.
Early Launch Anti-Malware (ELAM) prevents this and also prevents a rootkit from disguising itself as an antivirus driver and loading. ELAM will launch a verified antivirus driver before all other drivers in what Microsoft calls a “chain of trust.”
It does this by examining all drivers that start with the OS and determining if they are signed and on a list of trusted drivers. If they’re not on the list, they won’t be loaded.
All major antivirus packages support ELAM, which is only available in Windows 8.1 and Windows 10. It should be noted, however, that the main antivirus software will load later in the boot process, meaning that while ELAM is a helpful defense, it’s not the full antivirus package.
Anti-Malware Features
Another helpful segue, and it’s on to the subject of the specific anti-malware features in the Windows OS. As with other features I’ve already listed, they do tend to vary from one OS version to another, with Windows 7 being the least supported.
Windows SmartScreen
Windows SmartScreen is an online feature of many Microsoft products, including Windows 7 (where it’s called the Phishing Filter ), Windows 8.1, Windows 10, and some online services as well.
Because the service runs online, it is always kept up to date. It checks incoming e-mails and downloads against white- and blacklists of known phishing sites and malware payloads, and if it finds something that’s known to be malicious, it blocks it.
There are a few problems with SmartScreen as it currently stands, however (it is hoped that Microsoft will address these over time). It will occasionally find a download that it’s not sure about. The dialog that SmartScreen displays for you advises strongly against executing the download, but the interface is crafted in such a way as to make it difficult to open or run the downloaded file, should you wish to.
The other problem is bigger, as both Internet Explorer 11 (IE11) , in all supported versions of Windows, and the Edge browser, along with the Settings app in Windows 8.1 and Windows 10 , include a simple switch to turn the feature off (see Figure 2-4). None of these has any proper description of what SmartScreen is or why it’s important, and no UAC prompt is required to be clicked to deactivate the feature. Given that all three methods are easy for end users to find and click, I hope this is something Microsoft will address in future builds of Windows 10.
Figure 2-4. SmartScreen can be too easily disabled by users
Windows Defender/Security Essentials
Windows Defender is the free/included antivirus package for Windows. It’s built into Windows 8.1 and Windows 10 and is activated by default. In Windows 7, it’s an optional download that you can get from http://pcs.tv/2cZ6Ch5 . Additionally, in Windows 7, it’s called Microsoft Security Essentials, which differentiates it from a separate anti-spyware package in the OS called Windows Defender , which looks and operates in a manner extremely similar to Security Essentials (and indeed Windows Defender) but does a completely different job. I just wanted to make that clear.
I’m not going to make any comments about the effectiveness of Windows Defender as an antivirus package, as the effectiveness of security suites varies from year to year. As a basic package, however, it’s effective enough, and it has the added bonus of being incredibly lightweight, with almost no negative effect on performance or boot time. Most businesses or organizations, however, and, indeed, the author of this book, will install a third-party anti-virus product.
Windows Defender Offline
Later in this book, I’ll detail the offline antivirus tools you can download, from which you can boot your PC to scan for malware, without having to boot into an infected OS, as malware can often prevent security software from running on the desktop.
Windows Defender Offline can be downloaded from http://pcs.tv/2c8dSlI , but if you’re using Windows 10, you also have the feature built into the OS. Open the Settings app and navigate to Update & security, and then Windows Defender, and you can scroll down the page to see an option to start Windows Defender Offline (see Figure 2-5).
Figure 2-5. You can launch Windows Defender Offline from the Settings app
Windows Defender Offline (I’m beginning to feel this should be a drinking game!) will restart the PC and scan for, and attempt to remove, any malware it finds.
Other Security Features
The core security, startup security, and anti-malware features of Windows aren’t by any means all of the security features built into the OS. The final one comes with the unassuming name The Windows Store.
App Containers
When you install a Win32 traditional desktop program on your PC, it installs into the Program Files folder from which, with administrative privileges, it can see and access every other file and folder on the machine, including critical Windows operating system files.
Then along came app stores, and with them came containers. Containers are protected areas of storage and memory. Think of them as little virtual machines, each with its own segregated area of memory and storage.
Permissions are assigned to store apps, each of which must be approved by a user. If the user doesn’t want the app to be able to access her documents folders, her geolocation or another feature, such as her webcam, the OS will simply block the app from using it.
The Windows Store contains a great many apps that are useful in the workplace, such as the mobile editions of Word, Excel, PowerPoint, and OneNote. Microsoft has included a developer feature, however, that also allow Win32 apps to be containerized and placed in the store.
This includes the full desktop editions of Microsoft Office apps, and it additionally gives those apps to store-only features, such as Sharing tools.
Tip
Running store apps instead of full Win32 desktop apps can boost the battery life of a laptop, ultrabook, or tablet, as these apps are suspended by the OS when they’re not in focus. This prevents them from using processor time when you’re busy doing something else. Additionally, running an app (any app) full-screen will also boost your battery life, as the graphics processor has fewer things to render.
It’s worth noting, too, that if you’re using Windows 10 on a low-power ARM-based PC, laptop, ultrabook, tablet, or smartphone, and you’re able to install and use Win32 desktop software, this will all be containerized, due to the re-architected nature of the ARM editions of the Windows 10 OS. These apps will also, typically, but not always, come from the Windows Store.
Why is this significant, you ask? While not every software house will place its products in the Windows Store, containerizing any app makes it significantly more resilient against a malware infection and prevents it from being able to interact with the underlying OS in a way that could prove malicious.
32-Bit (×86) and 64-Bit (×64) PCs
It’s actually very difficult to find a new PC on sale these days that contains a 32-bit processor (CPU), unless you’re buying a budget tablet or laptop. If you’re using Windows 7 in a business environment, however, you may still be using and supporting them.
32-bit desktop CPUs, which began with the Intel 386 series in 1985 and ran through to the Pentium 4 chips of 2004, don’t support virtualization. This means that, even though Windows 10 comes in a 32-bit variant, older processors and motherboards won’t support technologies such as app containers. At http://pcs.tv/2cXeWeh , you can check if your Intel processor supports virtualization. At http://pcs.tv/2cE9aAs , AMD provides information on virtualization in its processors.
Also, some older 64-bit processors and motherboards don’t support hardware virtualization, which means that they won’t support all the virtualization features of Windows, which can include app containers. It’s always wise to check the documentation that came with your processor and motherboard, when deciding whether to migrate the PC to Windows 10 or if it might be best to retire the unit and purchase a replacement.
While 64-bit installations of Windows are more secure than their 32-bit counterparts, this has more to do with the security features the 64-bit architecture supports and is no guarantee that a system will be secure by default. One of the advantages of 64-bit Windows systems, however, is that hardware and software drivers, which are a common method for malware attack, must be digitally signed by the manufacturer and Microsoft, in order to be supported and loaded at startup.
Note
Microsoft is no longer supporting the latest Intel processors for new installations of Windows 7 and Windows 8.1, and one can assume this also extends to AMD processors as well. This means that there is no driver support available for some processors, and the OS will fail to install. You can check if your PC is compatible with Windows 7 and Windows 8.1 at http://pcs.tv/2cEciMV .
Restricting Access to Files
Several times in this book, I’ve mentioned ransomware and detailed just how disastrous it can be if you find all of your files, or indeed an entire hard disk, encrypted and inaccessible.
The tools I’ve detailed throughout this chapter focus on protecting the core OS and your apps from malware. Protecting your files, however, requires a bit of thought and perhaps some careful planning.
When you look at the way we manage, store, and back up our files, you’ll commonly find that the moment you click Save, the file (or a backup copy of it) is automatically saved to a server store, or a cloud service, such as Office 365, OneDrive, Dropbox, Amazon S3, or Google Drive.
This is brilliant in general use, as it means our files are backed up seamlessly and silently, without us having to do anything about it. We can even use a feature such as File History in Windows 8.1 or Windows 10 to create multiple “versions” of files, which can be restored at a later date, should a change be made to a file accidentally.
Ransomware , however, takes full advantage of our desire to have everything backed up immediately and silently. The moment a file on your hard disk is encrypted, that registers as a file change, and your backup software, be it File History, a cloud sync package, or a third-party backup app—and not being very clever—will automatically back up the new encrypted version of the file.
You may be lucky, in that you’ll have version control, meaning that you can take your file storage offline in the event of a ransomware attack, and after cleaning the malware from the PC, restore the earlier version of the file. This, however, relies on your having at least double the amount of backup storage for your files as you use to store the files themselves, and many people and businesses not only won’t have this, they won’t think of it either.
The solution is to limit ransomware’s access to your backups, and there’s really only one safe and secure way to do this, even though it’s far from foolproof.
This is to have a completely separate backup of your files that runs on a periodic schedule, perhaps every week or every two weeks. This means that if ransomware hits, you will know that you have a backup you can return to that will not have been affected by the encryption.
I say this isn’t foolproof because in this circumstance, it’s highly likely (Murphy’s law being what it is) that the ransomware will strike only a day or perhaps even earlier before your next backup is scheduled to begin.
The problems presented by ransomware mean that we all have to think very carefully about the way we store and back up our files and documents. We must make sure that we all have ample space for file versioning and enough redundancy in the system to ensure that we can recover a copy of our files, even if we lose a week or two’s worth, so that we can continue working.
This is, I’m sure, something that backup, cloud, and security vendors will address in the coming years, but it does need to be something you, and your business, plan for today.
Summary
There are many features and facilities built into Microsoft Windows that can help you defend against malware and prevent it from infecting your PC. Migrating your PCs to Windows 10 can help greatly in this regard, as it contains more and better security features than any previous version of the OS. Also, with Windows 10 being the final version of the OS, and with it being regularly updated with new features, the security of the OS will only improve over time.
This is in stark contrast to Windows 7 and Windows 8.1, which now remain feature-locked. Windows 7 is already out of mainstream support, with extended (security and stability) support ending in January 2020. Windows 8.1 mainstream support ends (or ended, depending on when you read this) in January 2018, with extended support ending in January 2023.
There is one security feature, which may confuse you, that I’ve hardly mentioned in this chapter. This is Windows Firewall. Firewalls are, after all, an essential utility for defending against malware, hacking, and other types of attack. In the next chapter, we’ll look at Windows Firewall and Windows Firewall with Advanced Security in depth, along with more detailed ways you can defend your PC from attack.