pixel_dreams - Fotolia
- Tim Mangan, TMurgent Technologies, LLP
It is an ever-evolving world when it comes to Windows security. As desktop administrators, we make it harder for attackers to get in one way, and they come up with new methods. So we keep adding to the list of ways to secure Windows: firewalls, antimalware scanning, intrusion detection, limiting use of privileged accounts, training users not to click on things, and patching, patching, patching. These are all part of good security practices.
Today, however, the browser is a common attack avenue on Windows, and organizations must do more in this area. Desktop browser security really needs to start from the ground up.
Why desktop browser security is critical
Widespread ransomware attacks such as WannaCry and Petya make the headlines, but increasingly, modern attacks are uniquely designed for and targeted at particular organizations. Ninety-three percent of the attacks that Microsoft detects use payloads that are seen in the wild only in that single attack and never again, the company said. The scanning techniques that antimalware software employs are limited against these targeted attacks.
Organizations are now moving to limit the attack angles by using Windows features such as Device Guard and Code Integrity white lists, which in theory should prevent file-based attacks from any unknown file. A fairly common method of attack uses targeted email phishing. Email scanning is becoming more effective at weeding out attachment-based attacks, but URLs within emails that trick users into clicking on them are a real problem. When a new zero-day flaw is discovered, hackers can prepare a URL to the entry malware. In sophisticated attacks, this malware might run directly in memory, preventing antimalware software from even trying to scan and preventing Code Integrity checks from being invoked.
You can take steps to harden the desktop browser security settings. But that is not enough. We need to further improve security in the browser, and in many cases cannot just replace the browser with a different one because there are business processes built around the existing one.
Keys to the browser security kingdom
What if you could disconnect the browser from the rest of the operating system, preventing the browser and browser content from infecting the target end-user system? Bromium provides a virtualization-based offering called a microvisor that may be suitable for certain high-security situations, but it may be too costly for widespread use. Citrix Secure Browser Service is designed for more general use.
For years Citrix has been good at redirecting browser sessions and disconnecting them from user sessions on Remote Desktop Services servers so that the rich audio and video media renders locally. So the people at Citrix already understood the nuances of making sure that user favorites and cookies persist and that when files need to be saved they are handled appropriately. But with Secure Browser, Citrix reversed the process. No matter where the user attempts to launch a browser session, it redirects to a separate virtualized session in the cloud that is integrated to appear local to the user's primary device using HTML5. The idea here is that the target payload never reaches your systems. Secure Browser Service also supports running different browser versions and plug-ins on a per-URL basis.
In September, Microsoft also announced an entry into the secure browser market. Windows Defender Application Guard, part of last month's Windows 10 Fall Creators Update, uses the virtualization capabilities already in Windows 10 Enterprise for added desktop browser security. Last year when Microsoft added containers to Windows Server 2016, it also included the capability for containers in Windows 10 desktops. Application Guard automatically looks at URLs that users click on in Outlook in Office 365 or the Internet Explorer or Edge browsers. Based on URL policies, the requests can redirect to a secure browser session running inside a Windows desktop container. If the site delivering the payload does anything wrong, it (in theory) only affects the container and not the host operating system. The container's network isolation should also prove helpful in preventing spread to other desktops. Unfortunately, the URLs in the containers can only redirect to open in Edge, so this approach isn't helpful for securing sites that need plug-ins such as Java for some older web services that Edge does not support.
Locking down possible executables using whitelisting is still important, but companies that either have locked down systems this way or are in the process of doing so should not rest. Instead, they should start looking at improving desktop browser security.
Everything you need to know about Windows 10 browsers
Key Windows 10 security settings to know
The value of third-party security in Windows 10
Dig Deeper on Enterprise desktop management
Intel microcode updates complicate admin patching duties
How does a WPAD attack work and how can it be prevented?
Cisco WebEx extension flaw: How does the patch fall short?
Methods for preventing hospital ransomware infections and cyberattacks