windows_mitigations.md

May 11, 2024 ยท View on GitHub

We list mitigations added in all Windows versions (from Windows XP up to latest Windows 10).

Version (and date)MitigationReferences
>= Windows XP SP2 and >= Windows Server 2003 SP1DEP in userland and kernel land1 2 167
>= Windows XP SP2 and >= Windows Server 2003 SP1Non-executable SharedUserData3
>= Windows VistaIntegrity Levels (IL)4
>= Windows VistaASLR5 5-2 167
>= Windows VistaUser-mode Drive Framework (now in WDF) to be able to write user space only drivers208 209 210 211
>= Windows XP SP2 with physical memory 508MB+ or >= Windows VistaDelayed free list158 153 154 155 156
Any 64-bit WindowsPagedPool is ReadWrite only (NX enabled)185 186
>= Windows VistaSMB default configuration does not allow anonymous login to named pipes6
Visual Studio 2003 >= XXXSafeSEH7 190
Visual Studio 2003 >= XXXGS stack cookie protection194 195
>= Windows Server 2008 (enabled by default) and >= Windows Vista SP1 (disabled by default). Disabled by default on workstation < Windows 10 v1709 and enabled by default on server versions.Structured Exception Handling Overwrite Protector (SEHOP)191 7 8 192 193
>= Internet Explorer 7 and >= Windows VistaProtected Mode (PM) - Low IL9
Windows Vista? 7?Kernel ASLR (KASLR)10 11 160
>= Internet Explorer 10 and >= Windows 8Enhanced Protected Mode (EPM) - AppContainer12 13 14
>= Internet Explorer 10 and >= Windows 8ForceASLR15
>= Windows 8, 64-bit processesHigh Entropy ASLR (HEASLR)16 17
>= Internet Explorer 10 and >= Windows 8VTGuard18 19
Windows 7Safe Unlinking in the kernel pool allocator20
Windows 8 or 8.1?No-Execute (NX) Page Table Entries (PTE)159
Windows 8Safe Unlinking in the linked lists used in the kernel21 22
>= Windows 8SMB default configuration does not allow anonymous login to IPC(IPC (IPC may be accessible but most commands cannot be used)23
Windows 8Supervisor Mode Execution Prevention (SMEP)24 149 150 151 167
Windows 8 32-bit/64-bit and backported to Vista+ 64-bitNULL page mitigation25 26 27 28 29 170
Windows 8/8.1 (Server 2012) - patch XXX??HAL non executable (NX)30
Windows 8No-Execute (NX) Nonpaged Pool31 32 33
<= Internet Explorer 10Memory Protector (MP)34
Edge and Internet Explorer 11MemGC35
>= Windows 8.1ObTypeIndexTable Index 0 hardening36
>= Windows 8.1 32-bit/64-bit (update KB3000850) or >= Office 16.0.7341.2032 or compiled with >= VS2015Control Flow Guard (CFG) a.k.a. Forward-edge CFI (Integrity)37 38 39 40 41 42 43 44 45 46 47 48 49 50 146 166 167 168 198 199 206
?Isolated Heap (only HTML/SVG/etc. elements accessible from JS, not helper/smaller objects)51
>= Edge and Windows 10 v???Win32k syscall filter52 53 54 55 56 57 58 59 60
Windows VistaKernel-Mode Code Signing (KMCS) a.k.a Digital Driver Signing147 164
Windows VistaKernel Patch Protection (KPP) aka PatchGuard148
Windows 10 1703 or 1607 >= 14332 (August 2016)Page Table Entry (PTE) location ramdomized (full KASLR)61 62 63 64 65 180 180-2
>= Windows 10 1809 (Pro/Enterprise) and >= Edge 77Application Guard for Edge66 67 207
Windows 10/Edge >= XX/XX/2016???Virtual Machines (VM) for Edge68
Windows 10 >= XX/XX/2016???Services process isolation (out of SVCHOST.EXE)69
Windows 10 >= XX/XX/2016???Shadow stack70 71
Windows 10/Edge >= XX/XX/2016???Prohibit dynamic code (VirtualAlloc RWX)72 73
Windows 10/Office 2016 (Version 16.11 Build 7571.2075)Forbid child to create process74
Windows 10/EdgeOut-of-process JIT75 76
Windows 10 v1607 (Build 14393)NULL SecurityDescriptor kernel mitigation77 78
Windows 10 (Build 15002)Exports are invalid CFG icall79
Windows 10 (Build 15021 / Removed in Build 15031)Return Flow Guard (RFG)80 81 82 83 84
Windows 10 (Build 15025)Strict CFG85 86
Windows 10 (Build 1703 Creators Update)kCFG87 152
Windows 10 (Build ?)Font parsing restricted to AppContainer88 89
Windows 10 (Build 16179)Break LFH deterministic layouts90 91 188 188-2
Windows 10 64-bit (1703 Creators Update) (April 2017)HAL randomized / No HAL Heap static mapping92 93
Internet Explorer 11Disable VBScript94 95 96
Windows 10 (1703 Creators Update)Arbitrary Code Guard (ACG) Enabled with PROCESS_CREATION_MITIGATION_POLICY_PROHIBIT_DYNAMIC_CODE_ALWAYS_ON. Enabled by default in Edge only under certain conditions97 98 99 180 180-2 213
Windows 10 (16215)Arbitrary Code Guard and Code Integrity Guard for most svchost.exe100
Windows 10 (16215)Isolated kernel stacks101
Windows 10 (?)BufferedIO output buffer is always zero'd102 103
Windows 10 RS3 (?)EMET mitigations added to Win10 (Windows Defender Exploit Guard, etc.)104 105 106 107
Windows 10 RS4Split kernel/page directory tables108 109 110
Windows 10 ???Fonts in userland and appcontainerized111
Windows 10 RS4 (17063)SGX2 Support (EAUG, EMODPR, etc)112
Windows 10 ???Kernel Virtual Address (KVA) Shadow (== KPTI)113 114 172 172-2
Windows 10 ???Mitigations for speculative execution side channel vulnerabilities115
Visual Studio 2017 version 15.5.5 or 15.6 Preview 4?/Qspectre compiler option116 117
Windows 10 build 17692 (fast ring) (June 2018)WPAD JavaScript sandboxing in AppContainer118
Windows 10 Redstone 5 (June 2018)Virtualization Based Security (VBS) enables Hypervisor Code Integrity (HVCI) and Driver Signature Enforcement (DSE) => block Capcom rootkit/other drivers119 180 180-2
Windows 10 Build 17723 (Fast Ring) and 18204 (Skip Ahead)heap-backed pool allocator (with randomization)120
Windows 10 Build 19H1Limited Supervisor Mode Access Prevention (SMAP) in paths handling DISPATCH_LEVEL + interrupts121 122
Windows 10, version 1703Sandboxed Windows Defender (opt-in)123 124
>= Windows 10 v1709Structured Exception Handling Overwrite Protector (SEHOP) enabled by default193
Windows 10 WIPFast build or compiled with /kernelInitAll compiler feature. No uninitialized Plain-old-data (POD) structs on the stack125 126 163
Windows 10 Fall Creators Update (2017)VBScript execution disabled in Internet Explorer in the Internet Zone and the Restricted Sites Zone by default127 128
Windows 10 Pro or Enterprise Insider build 18305Windows Sandbox (run any application in isolation)129 130
Windows 10 build ??? (after 16299)Windows Object Type encoding131 132
Windows 10 build ???eXtended Control Flow Guard (XFG): Validates call-targets by hash on target type133 134 180 180-2 181 181-2 183 183-2 204 214 222 223
Windows 10 build 17672Kernel pool moving towards Low Fragmentation Heap algorithm135 136
Windows 10 1809 build ???Threat-Intelligence Kernel APC Injection Sensor137 138 139
Windows Insider Flight 18980kernel-mode and Hyper-V automatic initialization of scalars (pointers, int, etc.)140
Windows 10 ??? (Oct 2019)Virtualization Based Security (VBS) enabled by default141 142 180 180-2
Windows 10 1607tagWND.strName primitive mitigation144
Windows 10 1709win32k object type isolation215 216 217
Windows 10 1803win32k tagWND additional r/w primitive removal215
Windows 10 1809win32k desktop heap user/kernel separation215
Windows 10 1809kLFH (disable by default)143
Windows 10 1903kLFH (enabled by default)218
Windows 10 1903Userland Control-flow Enforcement Technology (CET)200 201 202 203
Windows 10 March 2020Hardlink mitigation (requires FILE_WRITE_ATTRIBUTES)157
Windows 10 May 2020 and supported hardwareeXtended Flow Guard (XFG) (improved CFG) forward-edge CFI, can use Intel CET shadow stacks (only on supported hardware)145 161 161-2 161-3 165-2 214
Windows 10 ???No Uninitialized Stack162 162-2
Windows 10 ???Extreme Flow Guard (xFG)165 165-2 180 180-2 214
Windows 10 21H1Kernel Data Protection (KDP)165 165-2 174 174-2 175 175-2 177 177-2
Windows 10 ???Vulnerable driver blocking169
Windows 10 ???Zeroed kernel pool allocation171 173 173-2 179 182 182-2 187 187-2
Windows 10 21H1Authenticated Pointers (PAC) on ARM64176
Windows 10 21H1Dynamic relocations to allow user shared data to be relocated176
Windows 10 21H1Kernel Mode TLS (Thread Local Storage) with PsTls* APIs176
Windows 10 21H1Kernel Control-flow Enforcement Technology (CET)176 180 180-2
Visual Studio 2019 ???ASan support for MSVC196 197
Windows 10 ???Supervisor Mode Access Prevention (SMAP)178 178-2
Windows 10 ???Randomized mapping of VTL0's KUSER_SHARED_DATA in ring0 VTL1184 189
Windows 10 ???Require graphics drivers developers to write user space only drivers208
Windows 11 (Build 22000)Allows not following symlink for mount points (not default yet)202
Windows 11 (Build ???)XTENDED_CONTROL_FLOW_GUARD, POINTER_AUTH_USER_IP, REDIRECTION_TRUST212
Windows 10 / Windows Server 2016 and 2019Keyboard and mouse disabled in session 0219 220
Windows 10 1803 / Windows 11 / Windows Server 2019 and 2022Interactive Services Detection Service (UI0Detect) binaries removed221