Following a in-depth update on the Process Manager (which includes a description of Protected Process Light, Pico Processes & Secure Processes, as well as new Job Object Capabilities), attendees will learn about changes in the Thread Scheduler such as the Desktop Activity Monitor (DAM), Priority Inheritance, Quantum Donation & Directed Switch, plus the move to a Shared Ready Queue for scalable thread selection. Finally, this section will cover the new Windows Container support through the Server Silo feature.
The course finishes with an entire day on all the new security-related changes to Windows, including the addition of over 37 new mitigations, Virtualization-Based Security such as Device Guard & Credential Guard, Application Sandboxing through AppContainer, changes to the basic authentication security model through Attribute-Based Access Control (ABAC) & Centralized Access Protection (CAP) with Dynamic Access Control (DAC), and finally the implementation of Secure Boot & Measured Boot, new Kernel-Mode Code Signing (KMCS) Signing Policies & Hypervisor-Based Code Integrity (HVCI), and anti-malware extensions such as Early Launch Anti Malware (ELAM), Anti Malware Scan Interface (AMSI), Secure ETW, and Image Signature Callbacks.
Refresher Course Outline
- Modern Windows Debugging
- Updated OS Fundamentals
- New Executive Features
- Platform Security & Integrity Improvements
- Process Sandboxing Technologies
- Exploit Mitigations
The following topics and concepts are covered in the first days of the course.
Forensics & Analysis
Heterogeneous Processors, Process-Dedicated CPU Sets, Changes to Interrupt Dispatching, Interrupt-Based System Calls, Intel Security Mitigation Support
MinWin Dependency Decoupling, Memory Layout Changes, Memory Partitions, Object Manager Private Namespaces, Object Footers, and Extended Types, Handle Table Changes, Win32k Refactoring & Isolation
Processes, Threads, and Jobs
Minimal & Pico Processes, Windows Containers, Network & I/O Rate Control, Shared Ready Queue, Directed Switch, Desktop Activity Manager (DAM)
With a heavy focus on security changes during the last day
Security Assertion Calls, Hypervisor-aware , I/O APIC, ELAM, AMSI, Signature Callbacks, Secured ETW
UEFI Secure Boot, Signing Policies, User Mode Code Integrity (UMCI), Hypervisor-Based Code Integrity, Device Guard/Strong Code Guarantees, PatchGuard, HyperGuard
Process Sandboxing & Protection
User-mode Loader & Protected Policies, AppContainer, Protected Process Light (PPL), Secure Processes (Trustlets)
Arbitrary Code Guard (ACG), Control Flow Guard (CFG), Return Flow Guard (RFG), User-Mode Font Loading,