Chapter 7: Securing Data and Applications – Microsoft Exam MD-100 Windows 10 Certification Guide

Chapter 7: Securing Data and Applications

Security is essential for your devices and your end users. Data leakage seems to occur very often nowadays. Almost every day, you read that a company, a web shop, or a forum has been hacked and that their customers' details are for sale on the dark web. In this chapter, you will about learn some relevant security features that you can implement in Windows 10 to secure your system.

This chapter introduces the sixth objective, which is to know how you can configure the User Account Control (UAC) prompts, set threat management, implement disk and file encryption, and use AppLocker to control whether or not the end user can open applications.

The following objectives will be covered in this chapter:

  • Configuring User Account Control
  • Configuring Threat Protection
  • Implementing encryption
  • Using AppLocker

By providing you with the skills to configure User Account Control, configure Threat Protection, and implement encryption on disk and files in Windows 10, this chapter will help you prepare for the MD-100 (Windows 10) exam, which is part of the Microsoft 365 Certified: Modern Desktop Administrator Associate certification.

Technical requirements

In this chapter, we will look at PowerShell code. This code is available on this book's GitHub page: https://github.com/PacktPublishing/Microsoft-Exam-MD-100-Windows-10-Certification-Guide

In the Configuring UAC notifications section, you will learn how you can change the UAC notifications. The steps that you are going to follow have also been recorded. You can find the relevant videos at https://bit.ly/2LsQDqD.

Configuring User Account Control

Most users sign in to their computers with a user account that has more privileges to run their applications and access their data files than required. Using an administrative user account for day-to-day user tasks poses significant security risks.

Windows 10 provides UAC to simplify and help secure the process of elevating your account rights. However, unless you know how UAC works and how it can affect your users, you might have problems when you attempt to carry out typical end user support tasks. This section introduces how UAC works and how you can configure UAC notifications.

Understanding User Account Control

The User Account Control security feature provides a way for users to raise their privilege status from a regular user account to an Administrator account, without allowing them to sign into or switch user profiles. UAC is a collection of features, not just a prompt. Such features, which include File and Registry Redirect, Installer Detection, UAC prompt, ActiveX Installer Service, and others, allow Windows users to work with user accounts that are not part of the Administrators Group.

Such accounts, typically called standard users, are commonly described as having the least privileges to work with. The most important fact is that the experience is usually much more secure and reliable when users sign in with regular user accounts.

With Windows 10, as opposed to older operating systems, the number of applications and activities requiring the elevation of administrator rights is lower. This helps normal users do more while receiving fewer prompts for elevation, and increases compatibility with UAC while maintaining high safety standards.

When you need administrator-level permissions to make changes to your computer, UAC will notify you, as follows:

  • If you're an administrator, then click Yes to proceed.
  • If you're not an administrator, then the person on the machine with an Administrator account must enter their password so that you can begin or resume executing the task at hand.

The following screenshot shows the User Account Control prompt/pop-up window:

Figure 7.1 - The User Account Control elevation prompt

If you are a standard user, providing administrative credentials gives you administrator rights to complete the task. When you complete the task, permissions revert to those that a standard user has.

This means that no one can make changes to your device without your permission, even if you use an Administrator account. This helps prevent malicious users from installing spyware and malware on your computer or making changes to it.

We will now see how UAC works.

Knowing how UAC works

Windows 10 offers two types of user accounts: standard users and administrative users. UAC simplifies users' abilities to operate as standard users and perform all necessary daily tasks. Administrative users also benefit from UAC, because administrative permissions are only available after UAC requests permission from the user for that instance.

Once you allow UAC, Local Administrators group members run the same access token as regular users. A process can only use the full access token of an administrator once authorized by a member of the current Administrators group.

This method forms the basis of the Admin Approval Mode principle. Users are only elevated to perform tasks requiring access via an administrator token. UAC asks the user to enter appropriate credentials for an Administrator account when a regular user tries to perform an administrative function. An example of a UAC prompt for end users is shown in Figure 7.2. This dialog box is the user prompt for the default standard behavior.

The prompt for elevation shows contextual information regarding the current executable task, which requests elevation. The meaning varies according to whether Authenticode Technology signs the application. There are two variations of the elevation prompt: the consent prompt and the credential prompt.

Elevation entry points do not remember that elevation has occurred, such as when you return from a shielded location or task. As a result, the user must re-elevate to enter the task again.

The Windows 10 Operating System (OS) reduces the number of UAC elevation prompts for a standard user who performs everyday tasks. There are times, however, when it is appropriate to return an elevation prompt. For example, you don't need elevation to view Firewall settings. Changing the settings does, however, require elevation as the changes have a system-wide impact.

Most of the time, you should sign into your computer with a standard user account. Without an Administrator account, you can browse the internet, send emails, and use a word processor. You do not need to move/log into an Administrator account if you want to perform an administrative function, such as installing a new program or modifying a setting that will affect other users.

Before performing the task, you will be asked by the Windows OS for permission or an administrator password. The best practice is to create standard user accounts for all of the people that use your computer. Now, let's learn about standard user accounts.

Understanding standard users

In previous versions of the Windows OS, many users were configured to use administrative permissions rather than standard user permissions. This was because previous Windows versions required users to have administrator permissions to perform basic system tasks, such as adding a printer or configuring a time zone. In Windows 10, many of these tasks no longer require administrative permissions.

When users have administrative permissions on their computers, they can install additional software. Despite organizational policies against installing unauthorized software, many users still do it, which can make their systems less stable.

When you enable UAC and a user needs to perform a task that requires administrative permissions, UAC prompts the user for administrative credentials. In an enterprise environment, the help desk can give a user temporary credentials that have local administrative permissions to complete a task. The default UAC setting allows a regular user to complete the following tasks without receiving a request from UAC:

  • Installing Windows Update updates
  • Installing Windows Update drivers, or drivers included with the OS
  • Viewing Windows Settings, though a standard user is asked for elevated permissions
  • Pairing Bluetooth equipment with the computer
  • Resetting the network adapter and conducting other testing and maintenance functions on the network

Earlier, we mentioned that there are two different elevation prompts. A standard user account gets the credential prompt. The credential prompt pops up when the standard user account needs to perform an administrative task:

Figure 7.2 - The UAC credential prompt

As shown in the previous screenshot, the standard user account needs to enter an administrative user's password. In this example, this is to run the Command Prompt in Administrator mode.

Understanding Administrative users

Besides the standard user account, there are also administrative user accounts. Administrative user accounts already have the following permissions:

  • Read/write/enact permissions for all resources
  • All Windows permissions

Although it may seem obvious that not all users can read, modify, and delete any Windows resource, many enterprise IT departments that run older versions of Windows operating systems have no other option but to assign all of their users to the Local Administrators Group.

One of the benefits of UAC is that it allows users with administrative permissions to operate as standard users most of the time. When users with administrative permissions perform a task that requires administrative permissions, UAC prompts the user for permission to complete the task. When the user grants permission, the task is achieved by using full administrative rights, and then the account reverts to a lower level of permission.

The following screenshot shows us the administrator consent prompt for the Windows Command Prompt:

Figure 7.3 - The UAC consent prompt

When an administrative user account wants to perform an administrative task, then the consent prompt pops up. This administrative user does not need to enter a password because this user is already logged in with an Administrator account.

We will now move on and learn about the different types of elevation prompt.

Understanding the types of elevation prompt

As well as there being two different variations of elevation, there are also different types of elevation prompt. When permission or a password is necessary to complete a task, UAC notifies you with one of three different types of dialog boxes.

The different types of dialog boxes that users see and provide guidance on how to respond to them are described as follows:

  • A setting or function that is part of Windows requires your permission to start executing
  • Software that is not part of Windows needs your permission to run
  • A program with an unknown publisher requires your consent to start

We will now move on and learn how to configure UAC notifications.

Configuring UAC notifications

In Windows 10, you can set UAC so that it notifies you when changes are made to your computer. You have four settings of the elevation prompt experience that you can customize. These are as follows:

  • Never notify me: You never want to be notified when programs attempt to update apps or make adjustments to your computer, and when you make changes to Windows settings, you never want to be informed.
  • Notify me only when apps try to make changes to my computer (do not dim my desktop): You only want to be notified when programs want to make changes to your computer, without dimming the desktop, and when you make adjustments to Windows settings, you don't want to be notified.
  • Notify me only when apps try to make changes to my computer (default): You only want to be notified when programs want to make changes to your computer and when you make adjustments to the Windows settings, you don't want to be informed.
  • Always notify me: You always need to be alerted when programs attempt to install software or make changes to your computer, as well as when adjustments are made to Windows settings.

If you wish to change how your UAC notifications work, follow these steps:

  1. Click on Start.
  2. Type UAC.
  3. Click on Change User Account Control settings.
  4. Use the slider to determine how Windows will prompt you.
  5. Click on OK and in the UAC dialog box, click Yes:

Figure 7.4 - The User Account Control Settings window

As shown in the previous screenshot, you can move the slider up and down. The default setting is Notify me only when apps try to make changes to my computer. Did you notice the little shield next to the OK button? This means that if you press OK, a UAC prompt will pop up to acknowledge your user rights to perform this change.

In this section, you learned what User Account Control is, how it works, and how you can configure the notification settings of UAC. In the next section, you will look at how to set threat protection and learn about different advanced protection methods.

Configuring Threat Protection

A Windows 10 computer is more vulnerable to threats that originate from the network than from any other location. This is because network attacks can target a significant number of computers, while other forms of attacks require physical access to the computer. In this section, you will understand what malware and threat protection is. Furthermore, you will learn about the advanced protection methods that you can use to reduce threat protection.

Understanding malware and threat protection

Malicious software, or malware, is software that attackers design to harm computer systems. Malware can do many things, from causing damage to the computer to allowing unauthorized parties remote access to the computer, to collecting and transmitting sensitive information to unauthorized third parties. There are several types of malware, including the following:

  • Computer viruses
  • Computer worms
  • Trojan horses
  • Ransomware
  • Spyware

To protect you against malware infections, you need to ensure that all your software and OS updates are installed. Of course, you need to ensure that you have installed and activated anti-malware software on all your devices and that the anti-malware software is up to date with the latest virus definitions.

As well as protecting your computer, you need to ensure you teach your end users to avoid installing pirated software or media, browsing suspicious websites, and opening suspicious email attachments, even if they are from senders that you trust.

Malware can infect the devices of even the most diligent people. For example, users with good malware avoidance habits might visit a reputable website that has been compromised, and that leverages an undisclosed exploit in popular software. This could be because the software vendor has not fixed that software because they are unaware that the exploit exists. These users' devices could then become infected.

Additionally, no anti-malware solution has a perfect detection rate. It is possible to take all the necessary precautions and still have your devices become infected. Taking precautions only reduces the probability that a person's equipment will be compromised by malware, though it does not eliminate the possibility.

We'll learn about phishing next.

Learning about phishing scams

Phishing is a form of online identity theft. Phishing uses emails, phone calls, texts, and malicious websites designed to steal your personal data or information such as credit card numbers, passwords, account details, or other information.

Cybercriminals are skilled at tricking you into providing your personal information to them, which can lead to identity theft and loss of data. Phishing is particularly dangerous because cybercriminals mask messages and calls as legitimate, using logos and acronyms that appear to be real.

Phishing threats cannot be stopped by merely configuring a setting in Windows. Phishing scams involve exposing login credentials or other secure data when the user is tricked into exposing them to the attacker. Therefore, teaching your end users about this is necessary in order to minimize threats from phishing.

The tricks that cybercriminals use for phishing are as follows:

  • Fake websites: If you receive a suspicious email message and it prompts you to click on a link, then you must hover over that link. If the link does not match the name or descriptive text in your email, you could have received a phishing email. If the link points to a website or company you've never heard of or visited before, this could be a phishing attempt.
  • Threats: Emails that threaten account closure could be from a cybercriminal. If you receive an email that impulses you to take action by threatening that your account will be closed, be careful. Cybercriminals use a variety of methods to steal your information and gain access to your data through threats and misinformation.
  • Spoofing companies or people you know: Scammers use graphics in email that appear to be connected to legitimate websites but take you to pretentious scam sites or legitimate-looking pop-up windows. Spoofing can also occur when a scammer impersonates someone you know by mimicking their email address. Always check that the address you're replying to is the correct one.

There are also a few options you can use to confirm that an email is legitimate:

  • Uncover the URL: We can test a URL before clicking on it by placing the mouse pointer over it. Often, incorrect links are inserted into an email as a means of tricking the reader.
  • Poor grammar and spelling: Companies rarely send messages without the text being proofread, so numerous spelling and grammar errors can signify a scam message.
  • Company contact information and brand accuracy: Most companies have a recognizable brand identity in their emails. Look for logos, brand colors, and the message that contains their contact information.

Now that you know about the different types of phishing scams and what you can do to protect yourself against them, let's move on and understand the built-in Windows Security features we can use.

Understanding Windows Security

Devices and users need to be protected while they are online. To do this, they rely on the built-in defense features of Windows Security, which provide resilience against ever-increasing threats. The Windows Security feature is an app that is accessible from within the Settings app. The Windows Security app is a single portal for users to control and view their device's security, health, and online safety.

You can open the Windows Security app by following these steps:

  1. Click on Start.
  2. Browse to Windows Security.
  3. The Windows Security app will open. This app contains an overview of the status of the Windows Security features, as well as links to other settings and support, as shown in the following screenshot:

Figure 7.5 - The Windows Security feature

This Windows Security page, as shown in the previous screenshot, provides a status report covering the seven areas of security. From this page, you can review the various color-coded status icons that are available, which indicate the level of safety for that area. The three color codes are as follows:

  • Green: This is used to indicate that the device is sufficiently protected and that there aren't any recommendations to follow up.
  • Yellow: This is used to indicate that there is a safety recommendation that should be reviewed.
  • Red: This is used to indicate a warning, meaning that something needs immediate action.

The Windows Security app collects the statuses of each of the included security features and allows you to perform some configuration.

From the Windows Security feature inside the Settings app, you can open the standalone Windows Security app by clicking the Open Windows Security button, as shown in the following screenshot:

Figure 7.6 - The Windows Security standalone app

When a Windows Security item requires action from the end user, for example, to update the virus and threat protection definitions, the shield icon in the notification area of the taskbar will show a red cross to indicate that an action is required.

The previous screenshot provides you with seven security areas. These are explained as follows:

  • Virus & threat protection: This is used to monitor threats to your device, run scans, and gather updates to help protect you against the latest threats.
  • Account protection: This is used to access sign-in options and account settings, including features such as Windows Hello and Dynamic Lock.
  • Firewall & network protection: This is used to manage firewall settings and monitor network and internet connections.
  • App & browser control: This is used to review and update settings for Windows Defender SmartScreen and configure exploit protection settings.
  • Device security: This is used to review built-in security options that use virtualization-based security to help protect your device from attacks that may be performed by malicious software.
  • Device performance & health: This is used to view the status of your device's performance health.
  • Family options: This is used for features such as Parental control, which allows you to keep track of your kids' online activity.

In this section, you learned the basics of the Windows Security app, what malware is, and its different types. In the next section, you will learn about some of the advanced protection methods available in Windows 10.

Understanding advanced protection methods

One important part of protecting Windows 10 is to take a defense-in-depth approach. Threats come in many forms and can target a variety of specific services or applications. You, as an administrator, should assume that no single solution will be able to mitigate all threats, and you should be familiar with the tools and settings available that can help you secure devices. We are going to look at such tools and settings that are helpful for securing devices available with/for Windows 10 in the following sections.

Learning about the Security Compliance Toolkit

The Microsoft Security Compliance Toolkit helps an organization's security administrators effectively manage the Group Policy Objects (GPOs) of their enterprise. Administrators may compare their current GPOs with Microsoft GPO baselines or other baselines using the toolkit, then edit them, save them in GPO backup file format, and apply them to test their effects via a domain controller or directly inject them into test hosts.

In the following sections, you will learn about a few security features that you can implement in your environment.

Windows Security baselines

Microsoft does have recommended configuration settings, also known as security baselines, that explain their security impact. These security baselines are a huge benefit to customers because they bring expert knowledge from Microsoft and their partners.

You can use a security baseline to ensure that the user and device configuration settings are compliant with the baseline. You can set these configuration settings according to a baseline via Group Policy or Microsoft Intune.

Windows Device Health Attestation

Windows Device Health Attestation ensures that the Windows 10 OS has not been tampered with or compromised and helps verify the overall health of the system. Certain services (such as Exchange email, SharePoint, or Azure Active Directory (Azure AD) membership) take advantage of this service and can disallow access until a Windows 10 Enterprise edition Personal Computer (PC) meets specific qualifications.

For example, when a user tries to join a new Windows 10 PC to the Azure Active Directory, conditional access can verify the integrity of the PC using Windows Device Health Attestation and then ensure that BitLocker, Secure Boot, or Virtualization-Based Security features such as Credential Guard are enabled. If a user elects not to allow these settings to be configured, access to the requested resource is denied.

Let's quickly understand Secure Boot in brief. Secure Boot is a security standard created to make sure that your PC boots up using specific software trusted by the PC manufacturers. Secure Boot support was started in Windows 8, and Windows 10 still supports it.

First, when starting the PC, the firmware tests the signature of each piece of booted software, including firmware drivers (Read Only Memory (ROMs) are optional), EFI programs, and the OS. If the signatures are found to be authentic and correct, the PC boots and the firmware gives control to the OS.

Secure boot prevents a dangerous and sophisticated form of malware — called a Rootkit — from loading on your computer when it starts. Rootkits have the same rights as the OS and can start even before the OS boots. Rootkits are also a part of a whole malware package that can bypass local logins, record passwords and keystrokes, switch private files, and capture cryptographic data.

Windows Device Health Attestation requires the use of modern authentication. Modern authentication is the name Microsoft uses to describe the Azure Active Directory Authentication Library (ADAL) for clients and other technologies that implement authentication using the OAuth 2.0 and Open ID Connect protocols. Microsoft has built these technologies natively into Windows 10 and Office 2016 and Microsoft-hosted services such as Office 365.

Windows Information Protection

Windows Information Protection (WIP) is a feature of Windows 10 Pro and Enterprise. This feature is intended to keep organizational data secure, regardless of the actions of end users.

When enabled, WIP watches for content that is downloaded from SharePoint, Office 365, and corporate web servers and file servers. It offers a range of controls, such as blocking content from being downloaded, warning users, or auditing their access to prevent data from being shared outside the organization.

WIP automatically protects the content that is downloaded to the device, and only approved applications can access it. An organization can also choose to securely wipe data from the device using Microsoft Intune or third-party Mobile Device Management (MDM).

WIP will provide encryption at rest using Microsoft's Encrypting File System (EFS) and will also utilize the Microsoft-hosted Azure Rights Management Services functionality, which is included with Office 365, to protect the data when the data egresses outside of the corporate network boundary or when it arrives on non-Windows platforms, such as iOS and Android.

Understanding Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (ATP) is a platform that is designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Unlike Windows Defender, which is available on each Windows 10 computer and managed by Group Policy or Intune, Windows Defender ATP is a whole new platform that helps administrators enhance security, as well as to establish centralized security control over both cloud and on-premises resources.

Important Note

Even though Windows Defender ATP shares the same name with Windows Defender in Windows 10, these are not the same products.

Windows Defender ATP can be used to monitor Windows Defender functionalities on local Windows 10 devices to maintain consistent configuration and an acceptable security level. Windows Defender ATP can also integrate with Office 365 Threat Intelligence and Microsoft Intune.

Windows Defender ATP uses the following combination of technologies, all of which are included in Windows 10 and the cloud service offered by Microsoft:

  • Endpoint behavioral sensors: Embedded in Windows 10, these sensors collect and process OS behavioral signals and send the sensor data to your private, isolated Windows Defender ATP cloud instance.
  • Cloud security analytics: Big data, machine learning, and special Microsoft Optics across the integrated Windows ecosystem are transformed from observations, detections, and suggested responses into advanced threats.
  • Threat intelligence: Created by Microsoft hunters, security teams, and strengthened by partners' intelligence on threats, threat intelligence enables Windows Defender ATP to identify intruder devices, tactics, procedures, and produce warnings when data is detected in the sensor.

The aforementioned technologies, when combined, provide very efficient, proactive monitoring regarding what happens on your client machines, servers, and network. They perform automated investigations on well-known incidents and provide some actions, before an administrator is even alerted.

Understanding Windows Defender Application Control

With thousands of new malicious files being created every day, using traditional methods such as antivirus solutions provides an inadequate defense against further attacks.

When an end-user runs a process, that process has to access the data that the user has. This can cause sensitive information to be quickly deleted or transmitted out of the organization.

This could happen when an end-user knowingly or unknowingly runs malicious software. Application control can help mitigate these types of security threats by restricting the applications that your end users are allowed to run.

Learning about Windows Defender Device Guard

Windows Defender Device Guard is broken down into two functions: Windows Defender Exploit Guard and Windows Defender Application Control. Such features are a combination of business-related hardware and software security features that will lock down a system when installed together so that it can only run trusted applications that are specified in the code integrity policies of an enterprise. If the device is not trusted, it will not be able to run for a period of time.

This also means that even if an attacker manages to get control of the Windows kernel, they will be much less likely to be able to run malicious executable code with hardware that meets basic requirements.

Understanding Windows Defender Credential Guard

Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Credential thefts, such as Pass-the-Hash, can lead to unauthorized access to your systems.

This is where Windows Defender Credential Guard will prevent these attacks by protecting the New Technology LAN Manager (NTLM) password hashes, Kerberos Granting Tickets, and credentials that are stored in applications. This is done by removing these credentials from the Local Security Authority (LSA).

Learning about Windows Defender Application Guard

Windows Defender Application Guard is designed for Windows 10 and the Microsoft Edge browser. It also helps isolate untrusted websites while your end users browse the internet. As an administrator, you need to define what the trusted sites are, which cloud resources you can trust, and, of course, you need to identify your internal networks. Everything not on your list is considered to be untrusted.

In the following screenshot, you can see how Defender Application Guard works on a device:

Figure 7.7 - Hardware isolation with Defender Application Guard

If an employee goes to an untrusted site through the Microsoft Edge browser, the browser opens the site in an isolated Hyper-V-enabled container, which is separate from the host OS. If the site turns out to be malicious, the host PC is protected.

Understanding Windows Defender Exploit Guard

Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities for Windows 10. It allows administrators to define and manage policies for reducing surface attacks and exploits, network protection, and protecting suspicious apps from accessing folders that are typically targeted.

Now, you know about most of the different built-in features in Windows 10 that you can use to secure your OS. You know what you can do with Windows Information Protection and how you can implement the Windows Security baselines. All these Windows Defender features have been provided in this section.

Now, you need to know what the differences are between these Windows Defender features and what they do. Next, we'll learn how to implement encryption on disk or at the file level.

Implementing encryption

There are two types of encryption technologies available for Windows 10 devices: BitLocker and Encrypting File System (EFS). Both tools are available for use on all Windows 10 editions, except for Windows 10 Home. While both technologies offer robust methods of encryption, you need to understand how to implement each technique.

EFS has been available since Windows 2000, but very few organizations implement this type of encryption. Most organizations that require encryption choose to use BitLocker Drive Encryption. The difference between EFS and BitLocker is that EFS encrypts at the folder and file level, while BitLocker encrypts complete hard disks and removable drives.

First, we will understand BitLocker.

Implementing BitLocker

BitLocker allow you to encrypt an entire hard disk, which can be the Windows 10 OS drive, a data drive, or a removable drive. During the encryption process, BitLocker configures the drive that contains the OS so that you have a system partition and an OS partition. BitLocker helps to ensure that data stored on a computer remains encrypted, even if someone tampers with the machine while the OS is not running.

BitLocker offers a tightly integrated Windows 10 solution to help tackle the problem of data theft or data leakage from devices that have been lost, compromised, or improperly decommissioned. Data on these types of computers may become vulnerable to unauthorized access when a hacker either runs a software attack tool against it or transfers the hard disk of the computer to a different computer.

By enhancing Windows file and system protection, BitLocker helps to prevent unauthorized access to data. BitLocker also helps make data unavailable as you decommission or recycle computers that are secured by BitLocker.

Windows 10 now offers a newer encryption algorithm, XTS-AES, for BitLocker. Organizations concerned with brute-force attacks being used on their devices, given physical access is possible, they may want to consider migrating their BitLocker default encryption to XTS-AES. This option can be configured using Group Policy. Microsoft recommends that customers enable this level of encryption on newly provisioned devices.

BitLocker performs two functions that provide both offline data protection and system integrity verification:

  • It encrypts all data that is stored on the Windows OS volume (and configured data volumes). BitLocker provides security for Microsoft applications and non-Microsoft applications, which provides benefits for the applications automatically when they are installed on the encrypted volume.
  • It is configured, by default, to use a Trusted Platform Module (TPM) chip to help ensure the integrity of early startup components. It does this by ensuring that no modifications have been made to the first boot file's integrity. Once the TPM has verified that there are no changes, it releases the decryption key to the Windows OS Loader.

    When TPM detects changes, it locks any volumes that are secured by BitLocker. They remain protected, even if somebody tampers with the machine when the OS is not running.

    Important Note

    The Windows 10 installation process partitions the computer's hard disk to enable the use of BitLocker.

As we mentioned earlier, BitLocker uses the TPM chip to verify the integrity of the startup process by doing the following:

  • It provides us with a way to check that the first boot file's integrity has been maintained and helps ensure that no adverse changes have been made to those files, such as viruses in the boot sector or rootkits.
  • It improves protection in order to mitigate software-based attacks (offline). It makes sure any alternative software that could start the system does not have access to the decryption keys for the volume of the Windows OS.
  • When the machine is tampered with, it locks the user out. Even if anyone has tampered with the monitored files, the system does not start. This alerts the user of tampering occurring because the system doesn't start like it usually does. BitLocker offers a simple recovery process when a system lockout occurs.

In conjunction with the TPM chip, BitLocker verifies the integrity of early startup components. This helps to prevent additional offline attacks, such as attempts to insert malicious code into these components. This functionality is necessary because the components from the earliest part of the startup process must be available in an unencrypted format so that the computer can start.

Important Note

You might need to enable the TPM functionality in your computer's basic input/output system (BIOS).

If an attacker can gain access to the components of the initialization process, they can modify the code in those components and gain access to the computer, even if the data on the disk is encrypted. Once the intruder has access to confidential information such as BitLocker keys or user passwords, they can bypass BitLocker and other security measures on Windows.

BitLocker does not require a TPM chip. However, only a computer with a TPM chip can provide the additional security of pre-startup system integrity verification. To check whether a computer has a TPM v1.2 chip, perform the following steps:

  1. Open the Control Panel.
  2. Click System and Security.
  3. Click BitLocker Drive Encryption.
  4. In the lower-left corner, click TPM Administration:

    Figure 7.8 - The BitLocker Drive Encryption window

  5. The Trusted Platform Module Management on the Local Computer console will open:

Figure 7.9 - The TPM Management on the Local Computer console

In the previous screenshot, we can see the TPM Management console. In this console, you will see that the machine is a TPM chip that has been installed and is ready for use. On the right-hand side of the console, you can choose some actions, such as clearing the TPM chip.

If the computer does not have the Trusted Platform Module v1.2 chip, a message stating Compatible TPM cannot be found will be displayed.

Important Note

If the computer does not have a TPM v1.2 chip, you can still use BitLocker to encrypt the Windows OS volume. However, this implementation does not include a TPM and requires the user to insert a USB startup key to start the computer or resume it from hibernation. It also does not provide the pre-startup system integrity verification that BitLocker offers when working with a TPM.

Besides BitLocker, you can also use the Encrypting File System. BitLocker and EFS are built into Windows 10. Most organizations use BitLocker, but you also need to know how EFS works. You'll learn how to use it in the next section.

Implementing Encrypting File System

The built-in Encrypting File System is a powerful method that's used to restrict access to files within an NTFS environment. As we mentioned earlier, very few organizations implement file and folder encryption. In the organizations where EFS is applied, it's necessary to ensure that users and members of the IT departments acknowledge that EFS is a secure method of protecting files.

Only the origin account (other than the Administrator account) that's used for encryption has the option of decrypting the file.

Users can encrypt the files and folders they have created on an NTFS hard disk by right-clicking the file and selecting Properties from the context menu that appears.

In the Advanced Attributes dialog box, as shown in the following screenshot, select the option to Encrypt contents to secure data:

Figure 7.10 - The Advanced Attributes dialog box

Encryption should not be used without prior planning and establishing some precautions to secure the encryption keys that are used. EFS protects data from unauthorized access, and it is advantageous as a last line of defense from attacks.

EFS uses the Windows Public Key Infrastructure (PKI) and a fast encryption algorithm to protect files. The private and public keys generated during encryption ensure that only the user that encrypted the file can decrypt the file. Encrypted data can only be decrypted if the user's certificate, which is used for encryption, is available on the computer.

Some key points that you need to know about EFS are as follows:

  • Encryption and decryption of files and folders happens behind the scenes and is not visible to users.
  • When you close files, encryption occurs; when you open files, decryption occurs.
  • EFS is only available on NTFS formatted volumes.
  • EFS keys are assigned to a specific user and not to a computer.
  • An EFS protected file can be moved or copied by the file owner.
  • If you move the file to an EFS drive that's not supported, such as FAT32, then the file will be decrypted.
  • Encrypted files and folders show a padlock icon over each file or folder.
  • EFS uses the Advanced Encryption Standard (AES).
  • EFS is only available on Windows 10 Pro, Enterprise, and Education.

In this section, you learned how to implement BitLocker and Encrypted File System. As we've mentioned several times, BitLocker is used in more organizations than EFS.

BitLocker will encrypt the whole hard disk or only the data on the hard disk. EFS is used to encrypt single files and folders. Both encryption methods use the most robust encryption that is available nowadays.

In the next section, you will learn how to use AppLocker to lock down applications and prevent users from running unauthorized software.

Using AppLocker

The organizations of today face many challenges in controlling which applications run on client computers. These challenges include managing the following:

  • The Universal Windows Platform apps and desktop apps that users can access
  • Which users are allowed to install new applications
  • Which versions of the applications are allowed to run, and for which users

Unauthorized software can experience a higher incidence of malware infections and generate more helpdesk calls. However, it can be difficult for you to ensure that users' computers run only approved and licensed software.

You can use AppLocker to specify which software can run on a user's PC. AppLocker enables users to run the applications, installation programs, and scripts that they require to be productive while still providing the security and compliance benefits of application standardization.

Important Note

Only Windows 10 Enterprise and Windows 10 Education editions support AppLocker. AppLocker is unable to control processes running under the system account on any OS.

AppLocker can be useful for organizations that want to limit the number and types of applications that can run. This can be achieved by preventing unlicensed software or malware from running, and by restricting the ActiveX controls that are installed.

You can also reduce the total cost of ownership by making sure that workstations are homogeneous across an enterprise and that users run only the software and applications that the enterprise approves. You can also reduce the security risks and the possibility of information leaks from running unauthorized software.

Understanding AppLocker rules

You can prevent many problems in your work environment by controlling which applications a user can run. AppLocker enables you to do this by creating rules that specify exactly which applications a user can run. AppLocker continues to function, even when applications are updated.

Because you configure AppLocker with Group Policy, you need to understand Group Policy creation and deployment. This makes AppLocker ideal for organizations that currently use Group Policy to manage their Windows 10 computers or have per-user application installations.

To authorize AppLocker rules, you need to use the new AppLocker Microsoft Management Console (MMC) snap-in in the Group Policy Management Editor window:

Figure 7.11 - The AppLocker MMC

AppLocker provides several rule-specific wizards. You can use one wizard to create a single rule and another wizard to generate rules automatically, based on your rule preferences and the folder that you select. The four wizards that AppLocker provides administrators with to author rules are Executable Rules Wizard, Windows Installer Rules Wizard, Script Rules Wizard, and Packaged App Rules Wizard.

At the end of each wizard, you can review the list of analyzed files. You can then modify the list to remove any file before AppLocker creates rules for the remaining files.

The events for AppLocker are stored in the Event Viewer on the local computer. You can review these events if you want to check whether your AppLocker rules have been applied as appropriate. AppLocker uses the following Event IDs, which you can use to troubleshoot AppLocker from the client:

  • Event ID 8000: Indicates that the AppLocker policy did not apply correctly
  • Event ID 8004: Indicates that a .exe or .dll file did not run
  • Event ID 8007: Indicates that a script or .msi file did not run
  • Event ID 8022: Indicates that the Packaged app is disabled
  • Event ID 8025: Indicates that the Packaged app installation is disabled

AppLocker provides you with the ability to control which users can run designated desktop apps such as executables (.exe files), scripts, Windows Installer files (.msi and .msp), and dynamic link libraries (.dll). You can use AppLocker to specify which Universal Windows apps (.appx) users can install and use on their computers.

We will now move on and learn about how to configure AppLocker.

Configuring AppLocker

To enable AppLocker restrictions, for example, Universal Windows apps, you must configure the appropriate Group Policy settings by performing the following procedure:

  1. Open the Local Group Policy Editor (gpedit.msc).
  2. Under Local Computer Policy, in the left pane, navigate to Computer Configuration\Windows Settings\Security Settings\Application Control Policies\AppLocker.
  3. Click on Packaged app Rules.
  4. Right-click Packaged app Rules.
  5. Click Create New Rule.
  6. Use the Create Packaged app Rules wizard to configure an application restriction policy:

    Figure 7.12 - The Create Packaged app Rules wizard

  7. Click on Create to create the default rule.

This default rule has lower precedence, but it enables all signed packaged apps to run. To create the default rule, perform the following steps:

  1. Right-click Packaged app Rules.
  2. Click Create Default Rules:

Figure 7.13 - The Create Default Rules option

At this point, you have a specific package rule and a set of default rules. By default, these policies are set to enforce. You can only change the policy to audit policies by performing the following steps:

  1. Right-click the AppLocker node.
  2. Click Properties.

    In the AppLocker Properties dialog box, select the Configured check box adjacent to Packaged app Rules. In the list, depending on your requirements, select either Enforce rules or Audit only and then click OK:

Figure 7.14 - The AppLocker Properties dialog box

Enforcement of AppLocker rules requires that the Application Identity service runs on all computers affected by your AppLocker policy. This service identifies applications, and then processes the AppLocker policies against the identified applications. You can enable this service by opening Services.msc and selecting the Application Identity service. Configure the service for automatic startup, and then start the service manually. You can also start the service by configuring the setting through a GPO.

In this section, you learned what AppLocker is and why it is important for an organization so that they can reduce the number of applications that can be run. If an AppLocker policy does not work, you can check the Event Viewer for specific event IDs to troubleshoot the problem. Furthermore, you learned how to configure AppLocker settings.

Summary

In this chapter, you learned about the use of User Account Control to prevent unwanted programs, such as malware, from being installed on a computer. You learned about the two types of elevation prompts and also learned how to configure UAC notifications.

Furthermore, you learned what threat protection is and what types of threat protection there are. Using many of the built-in Windows Defender features makes your computer much safer. You learned what the security baselines are and how you can implement them. To protect company information, you can use Windows Information Protection.

Another form of security that you can implement is encryption. In this chapter, you learned about BitLocker and Encrypted File System. More organizations are embracing BitLocker rather than EFS, but EFS is not a bad choice.

The last thing you learned about is how AppLocker works and how you can configure AppLocker with specific application-independent rules.

In the next chapter, you will learn about the fundamentals of how you can configure connections, such as LAN and Wi-Fi.

Questions

  1. Can a standard user reset the network adapter?
  2. Are there four settings for UAC notifications? If yes, name them.
  3. Can WIP automatically protect the content that is downloaded to the device?
  4. Can EFS encrypt the whole hard disk?
  5. Can BitLocker be used without a TPM chip?
  6. Is AppLocker Event ID 8023 a valid event ID?

Further reading