Your Security Checklist for the Fall Creators Update

Susan Bradley

As noted in Richard Hay’s recent article,  on October 17, 2017, Microsoft will be releasing the Fall Creators Update. Just like Richard, I’m going to urge you now to take steps to push off installing the 1709 release, but I’ll be honest, I’m looking forward to the security enhancements that are included in this release.

If you have a home version of Windows 10 I’ll first urge you to do an easy upgrade to Windows 10 Pro. It’s an easy upgrade but unfortunately not free. The reason I’m recommending that you upgrade to Pro is that it gives you the ability to push off feature releases. Once you get up to the Pro release, you’ll need to take steps to defer within the next couple of weeks prior to October 17.

Recently the Defense Department sent out a notification that the end of life for various releases of Windows 10 is as follows:

  • Windows 10 version 1507 – May 9, 2017
  • Windows 10 version 1511 – October 10, 2017
  • Windows 10 version 1607 – Tentatively March 2018
  • Windows 10 version 1703 – Tentatively September 2018

So if you have stayed on 1511, it’s time to get ready to upgrade and move off of it.

What’s Cool in This Release

While I want you to hold off installing this fall release, I’m excited about many of the Security features included in this version. There are four new areas of security features included in the fall release. While some of them would work better with the Enterprise version of Windows 10, as a small business owner, I am always looking for ways to NOT lock myself into subscription agreements. Not to mention Microsoft doesn’t make purchasing a Windows E5 through their CSP subscription agreements easy to get.

If you remember a past article I wrote, it took me several vendors to finally get the E5 subscription I wanted. While the E5 subscription provides a GUI console to better expose what my system protected itself from, you can use the protection even in the Pro version.

Some of these technologies demand that you use Windows defender as your antivirus option, some will work with third party antivirus. All of them come under the new name of “Windows Defender Exploit Guard (Windows Defender EG)”. There are four components of Exploit Guard.

The four components are:

  • Exploit protection can apply exploit mitigation techniques to apps your organization uses, both individually and to all apps – does not require Windows Defender be your antivirus.
  • Attack surface reduction rules can reduce the attack surface of your applications with intelligent rules that stop the vectors used by Office-, script- and mail-based malware – does require Windows Defender be your antivirus.
  • Network protection extends the malware and social engineering protection offered by Windows Defender SmartScreen in Edge to cover network traffic and connectivity on your organization’s devices- does require Windows Defender be your antivirus.
  • Controlled folder access helps protect files in key system folders from changes made by malicious and suspicious apps, including file-encrypting ransomware malware- does require Windows Defender be your antivirus.

Microsoft recommends that you get an Windows E5 license in order to have an online console in the form of Windows Defender Advanced Threat Protection license. Note that it’s not mandatory to have this license in order to enable these protections.

While last on the list, I consider the most interesting of the four security enhancements to be the most interesting. It’s the first time Microsoft is acknowledging how much Ransomware is impacting us. The controlled folder access keeps an eye on your main user folders and ensures no ransomware makes mass changes to the files. Microsoft allows you to control Controlled folder access as long as Windows Defender is your antivirus. (If Windows Defender is not your antivirus and you are using a third party solution, you are not able to turn controlled folder access on.)

To enable it, once you have installed the Fall creator’s release, go into the Defender app by clicking on start, search, then search for Defender. Open up the Virus & threat protection tile (or the shield icon on the left menu bar) and then the Virus & threat protection settings. Scroll down and enable the Controlled folder access. By default Microsoft protects the normal user locations on your computer. You can add additional folders and mapped drives if you want to add more locations (I added a test folder in my testing of it). As Microsoft notes: “all apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder”.

Next is Exploit protection. I think of it as bringing the features of EMET, Microsoft’s Enhanced Mitigation Experience Tooklit to Windows 10. In fact, after the new release is installed, you won’t be able to use the standalone EMET on Windows 10 and must use the embedded EMET.

You can enable this on a standalone pc by going into the Defender app, then into app and browser control, and then scroll down to Exploit protection. Open up Exploit protection settings. Now you can review what is on and off by default. As noted, you can turn on audit mode as well to review the impact to your computer and applications. On my test fall release, Force randomization for images (Mandatory ASLR)
was off, and the other settings were on. While the researches at Google may complain that Windows 10 is getting protections and Windows 7 is not getting these protections, often security has to be built into the software not added later.

The next security feature, Attack Surface Reduction, adds the ability to block specific exploits. For Windows Pro machines, you can use the local group policy editor to enable this, but alas, Windows Home versions cannot enable this using the group policy editor as they have none. To enable the rules on the Pro sku, type in the search bar, edit group policy and find the group policy editor in the control panel. Find the Computer configuration, then find Policies then Administrative templates. Now expand the tree to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction. Double-click the Configure Attack surface reduction rules setting and set the option to Enabled. I would initially set the rules with the value of 2 to “audit mode” to see if any application will be impacted.

The following rules can be manually added by entering the series of numbers in the group policy section after you have enabled the rule.

  • Block executable content from email client and webmail
    BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
  • Block Office applications from creating child processes
    D4F940AB-401B-4EFC-AADC-AD5F3C50688A
  • Block Office applications from creating executable content
    3B576869-A4EC-4529-8536-B80A7769E899
  • Block Office applications from injecting into other processes
    75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84
  • Impede JavaScript and VBScript to launch executables
    D3E037E1-3EB8-44C8-A917-57927947596D
  • Block execution of potentially obfuscated scripts
    5BEB7EFE-FD9A-4556-801D-275E5FFC04CC
  • Block Win32 imports from Macro code in Office
    92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B

For example place the code of BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 as the value name and 2 as the value. This enables Block executible content from email client and webmail and turns on audit mode. An alert will pop up but not block you as you evaluate this new technology.

The next new technology is Network protection. Once again, while Microsoft will prefer that you have an E5 license, you need only to have the Professional sku and the use of Group policy editing. For this next tool, to enable it, once again go into the group policy editor. Got to Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Network protection.

Double-click the Prevent users and apps from accessing dangerous websites setting and set the option to Enabled. Once again for purposes of testing out this new feature I would turn on audit mode. When any application accesses dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet, you’ll get an alert. Once you are comfortable with the setting, you can change it to block.

Bottom line: These are the features of the fall release that I’m looking forward to. Get ready to defer the next feature release and stay tuned for the new security features.

Feedback welcome: Have a question or comment about this story? Post your thoughts, praise, or constructive criticisms in the WS Columns forum.


= Paid content

All Windows Secrets articles posted on 2017-10-10:

Susan Bradley

About Susan Bradley

Susan Bradley is a Small Business Server and Security MVP, a title awarded by Microsoft to independent experts who do not work for the company. She's also a partner in a California CPA firm.