pixel_dreams - Fotolia


Discover three key exploit protection features in Windows 10

To defend against memory-based attacks, Microsoft introduced three key features to Windows Defender Exploit Guard, including Address Space Layout Randomization.

Windows 10 includes intrusion prevention capabilities that protect devices against multiple types of attacks, including memory-based exploits that attempt to manipulate built-in memory to control the underlying system.

The memory safeguards, which debuted in the Windows 10 Fall Creators Update, are part of the exploit protection features available in Windows Defender Exploit Guard. They incorporate many of the capabilities of the Enhanced Mitigation Experience Toolkit (EMET), which Microsoft plans to retire.

Microsoft has improved on EMET's protections with these safeguards and made them configurable through Group Policy Objects. The process mitigation options allow administrators to control how a system responds to memory-based attacks, such as malware that tries to use buffer overruns to inject malicious code into memory.

The exploit protection features include three categories of settings specific to process mitigation.

  • Data Execution Prevention (DEP)
  • Address Space Layout Randomization (ASLR)
  • Structured Exception Handling Overwrite Protection (SEHOP)

Administrators have multiple ways to customize these and other exploit protection options. For example, they can configure the settings on an individual computer, export the configuration to an XML file and then use Group Policy to distribute the file's settings to other computers. Administrators can also use PowerShell to directly configure the settings on connected desktops.

Data Execution Prevention

Some memory-based malware tries to insert malicious code into an application's memory expecting the code to execute at a later time. This form of attack is difficult to track because it leaves no evidence after a system reboot. DEP settings address these risks by reducing the range of available memory that malware can use.

DEP prevents executable files from running in areas of memory allocated strictly for storage. It accomplishes this by using the no-execute (NX) bits available to newer CPUs to mark memory blocks as read-only. Malicious code cannot run on these blocks, even if malware manages to exploit an application vulnerability and is able to insert the malicious code.

Windows 10 currently supports only two DEP-related settings. The first setting controls whether DEP is enabled -- it is enabled by default.

The second setting, Active Template Library (ATL) thunk, is a sub-setting of the first that determines whether DEP/ATL thunk emulation is enabled. If enabled, the system intercepts NX faults that originate in the ATL thunk layer. The ATL is a set of template-based C++ classes IT can use to create small Component Object Model objects. A thunk is a small code segment for injecting additional calculations into a sub-routine.

Address Space Layout Randomization

Another way malware attempts to gain access to a system is by identifying a vulnerability in a privileged process and then using that vulnerability to locate where important code or data resides in-memory. The malware then tries to overwrite the code or data with its own malicious code. For example, attackers might use heap spraying -- an attack that tries to arbitrarily execute code -- to write a series of bytes to predetermined locations in-memory to prepare it for a separate attack.

To protect against this type of vulnerability, Windows 10 exploit protection uses ASLR to increase the level of randomness many times beyond what was capable in previous Windows versions. The ASLR features randomize how and where critical components reside in-memory, making memory locations less predictable.

Only administrators with an in-depth knowledge of mitigation techniques, memory-based threats and how applications handle memory should adjust the process mitigation options.

Windows currently supports three ASLR-related settings. The first one, mandatory ASLR, forces the randomization of executable images -- processes -- in-memory. This is the only process mitigation option disabled by default.

The second ASLR setting, bottom-up ASLR, randomizes the location of virtual memory allocations. High-entropy ASLR is a sub-setting of bottom-up ASLR that increases the variability of randomized memory allocations.

Structured Exception Handling Overwrite Protection

SEHOP is a Windows 10 exploit protection feature that helps prevent malicious code from attacking Structured Exception Handling (SEH), a built-in system for managing hardware and software exceptions. The system is essential for Windows applications to handle kernel and user mode exceptions.

Windows 10 implements the SEHOP mechanisms at runtime, making it possible to protect applications whether they've been compiled with recent improvements or not. Microsoft designed SEHOP to block exploits that use SEH overwrite techniques. Some applications can run into compatibility issues when SEHOP is enabled, so organizations must test their deployments for possible issues.

Windows supports only one SEHOP option, which determines whether the SEHOP features are enabled.

Microsoft recommends that only administrators with an in-depth knowledge of mitigation techniques, memory-based threats and how applications handle memory should adjust the process mitigation options. If administrators do modify these settings, they should implement the changes in a test deployment before rolling them out across the entire organization. Only then can they ensure that their applications continue to behave as they should and that their systems remain protected.

Dig Deeper on Desktop management

Virtual Desktop