Advanced Windows Security Features

Windows includes powerful security features beyond basic configuration. Application control, credential protection, and exploit mitigation provide defense in depth.

Application Control

AppLocker controls which applications can run. Policy rules specify allowed executables, scripts, installers, and DLLs.

Rule types:

• Publisher - Allow software from specific vendors (signed code)


• Path - Allow executables in specific directories


• Hash - Allow specific file hashes

Start with audit mode to understand what would be blocked. Refine rules before enforcement.

Windows Defender Application Control (WDAC) provides more comprehensive control than AppLocker, including kernel-mode enforcement. More complex to configure but more secure.

Credential Protection

Credential Guard isolates credential material in a virtualized environment. Even with kernel access, attackers cannot extract credentials.

Remote Credential Guard protects credentials during RDP sessions. Credentials never leave the client machine.

Protected Users group adds protections: no NTLM authentication, no delegation, shorter Kerberos ticket lifetimes, no caching credentials.

Exploit Mitigation

Windows Defender Exploit Guard includes multiple protections:

• Attack Surface Reduction (ASR) rules block common attack behaviors: Office macros spawning processes, obfuscated scripts, credential stealing from LSASS


• Controlled Folder Access protects designated folders from ransomware


• Network Protection blocks connections to known-bad domains


• Exploit Protection applies mitigations like ASLR, DEP, and CFG

Windows Defender Configuration

Real-time protection scans files as they are accessed. Keep enabled except for documented exceptions.

Cloud-delivered protection enables fast response to new threats using cloud analysis.

Automatic sample submission sends suspicious files for analysis. Enable for best protection.

Tamper protection prevents attackers from disabling Defender—critical to enable.

Exclusions - Minimize exclusions. Every exclusion creates a potential hiding place for malware.

Monitoring and Validation

Verify security features are working:

• Event logs for AppLocker/WDAC decisions


• Defender protection history


• Exploit protection event logs


• GPO compliance reporting

Security features only help if they are actually running and configured correctly.