On January 14, 2020, Windows 7 will officially die, and on March 14, 2020, it will no longer receive software updates, according to Microsoft. Although the Redwood-based outfit ended mainstream support for Windows 7 all the way back in January 2015, the five-year period of extended support during which enterprises are expected to update their stack and move to the more secure platform of Windows 10 is almost over.
From a security point of view, there are multiple reasons why you should upgrade to Windows 10 sooner rather than later. The dozens of security improvements we list below will immediately improve your security posture across several fronts, with enhanced memory and kernel protections, code integrity, more secure networking protocols and much more.
Let’s start by reviewing some of the most critical issues facing Windows 7 users, all of which will be alleviated by an upgrade.
1. The latest Service Pack for Windows 7 is Service Pack 1, from 2011. Keeping Windows 7 up to date requires deploying hundreds of security updates.
2. On Windows 7, Mimikatz and malicious threats that bundle it or are inspired by it can read passwords and other credentials from the Local Security Authority SubSystem (LSASS) process.
3. On Windows 7, antimalware must resort to identifying some kinds of malicious activities with API hooking, which is less reliable and might not cover all attack vectors.
4. On Windows 7, the SmartScreen reputation service is only checked by Internet Explorer and doesn’t provide protection for files downloaded by other means.
5. Windows 7 does not use TLS 1.2 for WinInet and WinHTTP by default. This is a manual configuration that admins needs to know to do even if they’ve installed the latest patches.
6. Windows 7 does not support the newer TLS 1.3 protocol at all. Vulnerabilities in TLS 1.2 and earlier are well-documented.
Windows 10 offers vast improvements over Windows 7 with regards to antimalware protections, strengthening both native tools and 3rd party solutions. Let’s take a look.
7. Windows 10 supports UEFI Secure Boot and Trusted Boot. These protect against malicious “bootkits” that can run early in the boot process and attempt to avoid detection by antimalware tools.
8. Windows 10 supports Early Launch Anti-Malware, which allows antimalware software to block malicious boot drivers from loading.
9. Windows 10 supports additional LSA Protection, allowing LSASS to run as a Protected Process, protecting the credentials it stores from malware without a malicious kernel mode component.
10. Windows 10 supports Protected Anti-Malware Services. Antimalware can run as a protected process, making it harder for malicious code, even when running with administrative privileges, to kill it, suspend it, inject code to it or otherwise tamper with it.
11. Windows 10 provides antimalware services with specialized threat intelligence events that vendors use to improve detections.
12. Windows 10 integrates the SmartScreen reputation service out of the box. The shell checks the reputation of downloaded files and prevents the user from running them if they are a potential threat.
Many security issues arise from vulnerabilities in the kernel. Windows 10 ramps up kernel protections in a variety of ways that will help keep attackers at bay.
13. Windows 10 supports Virtualization Based Security (VBS) and Hypervisor Code Integrity (HVCI). In this mode, the OS runs transparently in a virtual machine and the hypervisor ensures all kernel mode code is properly digitally signed. This provides powerful protection against exploits and zero-days that attempt to run kernel shellcode, like NSA’s ETERNALBLUE.
14. When VBS is enabled, Windows 10 supports Credential Guard, which provides an even higher level of credential protection than running LSA as a Protected Process, by storing credentials outside of the virtual machine running the OS. This provides protection against credential theft by malware even if it successfully loads a malicious kernel mode driver.
15. When VBS is enabled, CFG protection is also available for kernel mode code.
16. Windows 10 enhances the heap and the kernel pool, used for dynamic memory allocation in user and kernel modes, respectively, with various mitigations that make heap-based vulnerability exploitation more difficult.
17. Windows 10 supports process mitigation policies. Specific programs can opt-in to these policies in order to restrict code that can run in them.
18. Historically, the kernel mode component of the Windows GUI subsystem (Win32k.sys) has been the source of many zero day vulnerabilities exploited by malware. Recently, an attack on Google Chrome exploited such a Win32k vulnerability. Many defense-in-depth measures were introduced in Windows 10 for Win32k, making exploitation of such vulnerabilities more difficult.
Malicious code can be rendered less harmful or even harmless if it’s confined to a sandbox. Windows 10 offers a number of advantages here over Windows 7.
19. Windows 10 supports the AppContainer technology for sandboxing. This is mainly used by Windows Store apps, but is additionally used to move processing of Untrusted Fonts from kernel mode to a sandboxed AppContainer (fontdrvhost.exe) where a malicious font with an exploit can do less damage.
20. Windows 10 takes EMET (Microsoft’s Enhanced Mitigation Experience Toolkit) to the next level by including Exploit Guard as part of the system. Administrators can configure opt-in mitigations like blocking certain processes from loading code modules from remote network shares and various mitigations that provide protection against ROP (Return Oriented Programming) based exploits.
21. Additionally, antimalware software can use AppContainer technology to sandbox its components that access untrusted content. For example, SentinelOne’s DFI uses an AppContainer on Windows 10.
Windows 10 supports several additional defense-in-depth exploit mitigations over Windows 7, resulting in protection from many zero days that function on the earlier Windows operating system.
22. Windows 10 supports High Entropy ASLR (Address Space Layout Randomization), which makes it harder for exploit shellcode to find the code from loaded modules it needs to function.
23. Windows 10 supports Control Flow Guard. CFG makes it harder to exploit memory corruption vulnerabilities.
24. Windows 10 supports Code Integrity Guard. CIG lets a process allow only code digitally signed by Microsoft to load. In addition to the Microsoft Edge browser, this policy is also used by various system processes in Windows 10 by default, protecting them from exploitation by code injection from malware.
25. Windows 10 supports Arbitrary Code Guard. ACG lets a process require that code must originate from module file (a DLL or an EXE) and cannot be dynamically allocated, as exploit shellcode often is.
26. Windows 10 greatly improves BitLocker’s protections against physical attacks.
Network connections from logging on remotely to handling credit card transactions receives a security boost when you upgrade to Windows 10.
27. Windows 10 provides enhanced security during Remote Desktop sessions with Remote Credential Guard (RCG). Credentials are not sent to the remove server and are protected from attackers on the remote host. RCG also supports Single-Sign-On to improve password hygiene.
28. Remote Credential Guard prevents RDP Pass-the-Hash attacks and use of credentials after the remote session is over.
29. In Windows 10, Schannel (the Windows TLS stack) uses modern TLS protocol versions by default, enhancing security and enabling PCI DSS compliance.
Say goodbye to Service Pack updates as Microsoft role out major bi-annual Windows 10 updates and cumulative monthly patches. Patch Tuesday is still a thing, but Microsoft’s release cadence for Windows 10 offers a number of benefits to the enterprise.
30. Windows 10 is serviced with monthly cumulative updates, so staying up to date and secure is a lot easier.
31. Windows 10 follows the “Windows as a Service” model, providing various servicing options to balance security, new functionality and enterprise stability needs.
32. In Windows 10, the less conservative service options (e.g., Semi-Annual Channel) quickly deliver the value of new defense in depth security measures to existing deployments.
Enterprises cannot afford to fall too far behind attackers, and Windows 7 is a long way behind the curve. Consider that this OS was released 10 years ago, doesn’t support the latest Intel and AMD processors, and when extended support for Windows 7 ends next March, there will be no more security updates.
While threat actors continue to evolve their techniques, the importance of patching remains one of the critical ways to deal with vulnerability management. The sooner enterprises move to Windows 10, the sooner they can enjoy the many security benefits we listed above.
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.