Windows 10 Security Components
Built-in Security Features for Endpoint Protection
Windows 10 Security Architecture
Windows 10 includes multiple layers of built-in security components designed to protect against modern threats. Understanding these components is essential for SOC analysts and system administrators.
Windows Defender
Real-time antivirus and anti-malware protection with cloud-delivered intelligence.
SmartScreen
Web and application reputation-based filtering to prevent phishing and malware downloads.
Credential Guard
Hardware-based isolation of credentials using Virtualization Based Security (VBS).
WDAC
Windows Defender Application Control - Allowlist-based application execution policy.
Windows Firewall
Host-based firewall with inbound/outbound rules and advanced security profiles.
BitLocker
Full-disk encryption using TPM for data-at-rest protection.
Security Layers
Defense in Depth Strategy
- Pre-boot: Secure Boot, Trusted Boot, UEFI security
- OS Boot: Early Launch Anti-Malware (ELAM), Measured Boot
- Runtime: Windows Defender, SmartScreen, Firewall
- Identity: Windows Hello, Credential Guard, Device Guard
- Data: BitLocker, EFS, Windows Information Protection
Windows Defender Antivirus
Windows Defender is the built-in antivirus solution that provides real-time protection against viruses, malware, spyware, and other threats.
Key Features
- Real-time Protection: Continuously monitors files, processes, and registry changes
- Cloud-delivered Protection: Uses Microsoft cloud for rapid threat identification
- Automatic Sample Submission: Sends suspicious files for analysis
- Tamper Protection: Prevents malware from disabling Defender
- Controlled Folder Access: Ransomware protection for critical folders
PowerShell Commands
Common Defender Commands
Get-MpComputerStatus- Check Defender statusUpdate-MpSignature- Update malware definitionsStart-MpScan -ScanType QuickScan- Run quick scanGet-MpThreatDetection- View detected threatsSet-MpPreference -DisableRealtimeMonitoring $false- Enable real-time protection
SmartScreen Filter
SmartScreen protects users from phishing sites and malicious downloads by checking URLs and files against Microsoft's reputation database.
Protection Levels
- Web Browsing: Blocks known malicious websites in Edge/IE
- App Downloads: Warns about unrecognized applications
- Microsoft Store: Screens apps before installation
- File Execution: Checks reputation before running downloaded files
Credential Guard
Requires VBSCredential Guard uses Virtualization Based Security (VBS) to isolate sensitive credential information from the rest of the OS.
How It Works
- Creates isolated container using Hyper-V virtualization
- Stores NTLM hashes and Kerberos tickets in protected memory
- Prevents pass-the-hash and pass-the-ticket attacks
- Protects against tools like Mimikatz
Requirements
Hardware Requirements
- UEFI firmware (2.3.1c or higher)
- Virtualization extensions (Intel VT-x or AMD-V)
- SLAT (Second Level Address Translation)
- TPM 1.2 or 2.0 (recommended)
- 64-bit Windows 10 Enterprise or Education
Windows Defender Application Control (WDAC)
Enterprise FeatureWDAC (formerly Device Guard) provides application allowlisting to ensure only trusted applications can run.
Policy Types
- Audit Mode: Logs policy violations without blocking
- Enforced Mode: Blocks unauthorized applications
- Signed Policies: Tamper-resistant policy files
Trust Signals
- Publisher certificate (code signing)
- File hash (SHA-256)
- File path rules
- Intelligent Security Graph reputation
BitLocker Drive Encryption
BitLocker provides full-volume encryption for protecting data at rest on Windows devices.
Encryption Modes
- TPM Only: Automatic unlock with TPM chip
- TPM + PIN: Requires PIN at boot
- TPM + Startup Key: Requires USB key at boot
- Recovery Key: 48-digit backup key for emergency access
PowerShell Management
BitLocker Commands
Get-BitLockerVolume- Check encryption statusEnable-BitLocker -MountPoint "C:"- Enable encryptionBackup-BitLockerKeyProtector- Backup recovery key to AD