Microsoft Releases Standards for Highly Secure Windows 10 Devices

[Solarquest]

Yesterday, Microsoft released new standardsthat consumers should follow in order to have a highly secure Windows 10 device. These standards include the type of hardware that should be included in the system and the features of the firmware.

Hardware Standards
The hardware standards are broken up into 6 categories, which are processor generation, processor architecture, virtualization, trusted platform modules (TPM), platform boot verification, and RAM.

For processor generation, Microsoft recommends that users use Intel & AMD 7th Generation processors. When questioning these requirements, Windows Offensive Security Team and Windows Device Security manager Dave Weston stated that the 7th generation CPUs contained Mode based execution control (MBEC), which provides further kernel security.
...
...
...

 

[In2an3_PpG]

Intel & AMD 7th Generation processors

I do not feel like buying or upgrading my PC. Not in my budget at the current moment, so i guess i will not have a "Highly Secure" Windows 10 device.

 

[ZeroDay]

I guess the majority of consumers who purchase their PC's and laptops from places such as PC WORLD should point out to the staff that most of their systems with low end CPU's and 2-4gb of RAM do not meet Microsoft's security standards.

 

[shmu26]

Does anyone understand why your computer needs 8 GB Ram in order to be secure?
And what is this CPU virtualization business all about?

 

[YURY]

I think for the ordinary user these recommendations are not much affected.

 

[509322]

The way Microsoft will be doing this "highly secure" recommendation from now on, consumers will be buying new hardware every few years if they want a system that meets the "highly secure" specifications.

 

[plat1098]

Aw snap, just missed it with my 6fh gen. i7s. Oh well.

I guess the majority of consumers who purchase their PC's and laptops from places such as PC WORLD should point out to the staff that most of their systems with low end CPU's and 2-4gb of RAM do not meet Microsoft's security standards.

That's being a good doobie, lol.

 

[cimmay]

In practice, new hardware/software solves all the problems you were struggling with.

 

[Syafiq]

I don't care about this, i still have an old 2nd gen Intel Celeron B820 laptop with 2 GB of RAM... and i feel secure with this. But, i hope i will get a new and powerful laptop soon

 

[Vasudev]

Does anyone understand why your computer needs 8 GB Ram in order to be secure?
And what is this CPU virtualization business all about?

It allows apps to use memory in random addresses thanks to ASLR and other features in Windows 10 FCU.
They could have made SSD mandatory as well at the price point as HDD models.

 

[shmu26]

It allows apps to use memory in random addresses thanks to ASLR and other features in Windows 10 FCU.
They could have made SSD mandatory as well at the price point as HDD models.

Interesting. Also Comodo has an enhanced protection mode that utilizes hardware virtualization, when available.

 

[Vasudev]

Interesting. Also Comodo has an enhanced protection mode that utilizes hardware virtualization, when available.

Hardware virtualization? I don't remember seeing that feature enabled on consumer OS. If you running Hyper V you might get that feature.
Are you saying about Virtual Writes to registry or NX bit or execute bit XD or something that protects against known malwares?

 

[shmu26]

Hardware virtualization? I don't remember seeing that feature enabled on consumer OS. If you running Hyper V you might get that feature.
Are you saying about Virtual Writes to registry or NX bit or execute bit XD or something that protects against known malwares?

It seems to refer to enabling CPU virtualization in the firmware, I am talking about the option in the BIOS that you need to enable, so you can run x64 virtual machines.
Comodo warns that if you enable their enhanced protection, things like x64 virtual machines might not work right.
I hope I am saying this right, I don't have a proper understanding of these matters.

 

[zzz00m]

I doubt that these standards will be relevant for consumer end users. This statement appears to be directed to the enterprise market. Especially since I am not aware of any consumer motherboards shipping with a discrete hardware TPM.

 

[shmu26]

I doubt that these standards will be relevant for consumer end users. This statement appears to be directed to the enterprise market. Especially since I am not aware of any consumer motherboards shipping with a discrete hardware TPM.

Yes, it definitely seems enterprise oriented.

 

[Deleted member 65228]

It allows apps to use memory in random addresses thanks to ASLR and other features in Windows 10 FCU.
They could have made SSD mandatory as well at the price point as HDD models.

You don't need 8GB RAM to use features like ASLR. Anti-Exploit software like Malwarebytes Anti-Exploit has supported BottomUp ASLR enforcement for various software for years and years now anyway. Software which has ASLR enabled at compilation time (through linker options) can run on low-end systems too.

Comodo warns that if you enable their enhanced protection, things like x64 virtual machines might not work right.

It is because Comodo use the hyper-visor for their sandbox (real virtualisation). Features like Intel VT-x/AMD SVM can be enabled at BIOS level if the hardware supports it (CPU to be precise).

 

[DeepWeb]

The way Microsoft will be doing this "highly secure" recommendation from now on, consumers will be buying new hardware every few years if they want a system that meets the "highly secure" specifications.

Reminds me of that stupid performance score from Vista/7 days and it would always be low unless you had an SSD which no one had back then.

 

[shmu26]

It is because Comodo use the hyper-visor for their sandbox (real virtualisation). Features like Intel VT-x/AMD SVM can be enabled at BIOS level if the hardware supports it (CPU to be precise).

But Comodo places the enhanced protection feature under the HIPS tab, not under the sandbox (autocontainment) tab. Their manual says it is to prevent HIPS from being bypassed by advanced exploits.

 

[Deleted member 65228]

But Comodo places the enhanced protection feature under the HIPS tab, not under the sandbox (autocontainment) tab. Their manual says it is to prevent HIPS from being bypassed by advanced exploits.

I do not know.

It would make perfect sense if it was virtualisation based because Virtual Machines rely on virtualisation too, through hardware technology built-in (e.g. Intel VT-x, AMD SVM).

 

[zzz00m]

HitmanPro.Alert uses CPU hardware assisted code mitigations for Control Flow Integrity (stops ROP attacks) and IAT filtering (guards the Import Address Table). This feature is available in Intel processors.

Hardware-assisted Control-Flow Integrity
HitmanPro.Alert further raises the bar for exploit attacks. Its
innovative hardware-assisted Control-Flow Integrity (CFI)
technology is a new approach to prevent attackers from hijacking
control-flow of internet-facing applications, like web browsers,
Office and other productivity software. To defeat security
technologies like DEP and ASLR, control-flow attacks are nowadays
common practice. These attacks are invisible to antivirus and other
cyber-defenses as there are no malicious files involved. Instead, the
attack is constructed in real-time by combining short pieces of
benign code, that are part of existing applications, like Internet
Explorer and Adobe Flash Player—a so-called code-reuse or
return-oriented programming (ROP) attack.

HitmanPro.Alert achieves this new capability by leveraging an
unused hardware feature in mainstream Intel® processors to track
code execution, assisting detection of advanced exploit attacks in
real-time. Employing hardware-traced records has a significant
security benefit over software stack-based approaches.
Stack-based solutions like Microsoft EMET, rely on stack data, which
is—especially in case of a ROP attack—under control of the
attacker, who in turn can mislead the defender. In contrast, the
hardware-traced data examined by HitmanPro.Alert is more
reliable and tamper resistant—a definite edge over existing
solutions.