February 1, 2017 by

2016 Windows Mitigations

In 2016, Microsoft took several steps to improve and increase security for modern Windows versions in small steps, called mitigations. These mitigations serve as security measures to decrease and prevent the risk of a vulnerability being exploited.  Microsoft first started with Windows 8 by introducing a special API SetProcessMitigationPolicy, which turns on mitigations supported by the current version. Some of the Windows 8.1 mitigations include, ProcessDEPPolicy, ProcessASLRPolicy, ProcessDynamicCodePolicy, and ProcessControlFlowGuardPolicy.

In Windows 10, Microsoft released three new kinds of mitigations: ProcessSignaturePolicy, PRocessFontDisablePolicy, and ProcessImagePolicy. Each policy has been created as a means to better secure Windows software. 

ProcessSignaturePolicy: Is used as a security measure to let only an image with a specific digital signature to load into a target application. These images can be signed by Microsoft, Windows Store, the Windows Hardware Quality Labs. For example, if turned on the Edge web browser only images with the digital signature from the Windows Store would load.

ProcessFontDisablePolicy: Is used to prevent non-system fonts from loading, only allowing fonts from %windir%\fonts. Turning this on will prevent the possibility of a compromise while the fonts are loading.

ProcessImageLoadPolicy: Is used to determine which executable images can be loaded and forbids others. When turned on images from certain locations will not be able to load; for example, from a remote device or if the image is marked as Low Integrity Level.

Another security feature added to IE11 for Windows 8 update 3 and with Edge on Windows 10 is Control Flow Guard (CFG). Made to combat memory corruption, the CFG allows applications the ability to mitigate the exploitation vectors involved with indirect control flow transfers used to exploit code. In other words, CFG puts restrictions on where an application can execute from, making it harder to implement arbitrary codes through vulnerabilities like buffer overflow. Without CFG, an attacker can redirect a program to an undesired location. Using CFG, with a combination of compile and run-time support there is controlled flow of traffic because CFG restricts where instructions can be executed.

Furthermore, Windows keeps and will continue to add new mitigations for modern Windows versions to help decrease attacks and improve security.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Ransomware Woes Sees India Force Microsoft for Cut-Price Upgrade Deal

Following last month’s unprecedented cyberattack led by the WannaCry ransomware, India has...

Read more arrow_forward

Microsoft Security Director Admits Windows 10 Disables 3rd Party Antivirus Software

As Kaspersky Lab sues Microsoft for alleged antitrust compliant violations, a senior security...

Read more arrow_forward

Microsoft Patches Windows XP to Protect Against Nation-State Attacks

After Microsoft took the unprecedented step of releasing patches for Windows XP following last...

Read more arrow_forward