[Moving this to luv-talk as I'm taking it off-topic for luv-main] Craig Sanders via luv-main <luv-main@luv.asn.au> wrote:
many are still "happily" using XP (i.e. they don't know any better) - as the recent virus fiasco at RMH shows. workstations across the entire hospital, from pharmacy to the wards taken out by really ancient XP viruses. I know, i've been stuck in here for much of it. some sections (fortunately, the transplant clinic was one) had upgraded to win7 but many were still running XP.
Just wondering what is currently considered best practice for protecting a modern Microsoft Windows machine against malware and exploitation? I read an interesting article over the weekend: http://www.malwaretech.com/2015/09/device-guard-beginning-of-end-for.html according to which MS have implemented new security measures based on the virtualization instructions of the CPU. If I understand correctly, parts of the kernel responsible for verifying signed executables are compartmentalized using virtualization. Malware can compromise the remainder of the kernel without compromising the hardware-protected code. Only signed executables can be run, and UEFI "secure boot" is used. Thus they reduce the size of the Trusted Computing Base considerably. Apparently, under Microsoft NT-derived systems, the windowing and graphics code all runs in kernel mode - surely providing plenty of opportunity for attackers.