Detections
Analytics
18.9.5.7 Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'
Information
This policy setting enables Hardware-enforced Stack Protection for kernel-mode code. Kernel-mode data stacks are hardened with hardware-based shadow stacks, which store intended return address targets to ensure that program control flow is not tampered.The recommended state for this setting is: Enabled: Enabled in enforcement mode.
Note: Virtualization Based Security (VBS) requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM.
More information on system requirements for this feature can be found at Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs
Note #2: This specific security feature of VBS is only compatible with Windows 11 Release 22H2 (and newer).
Note #3: Only Intel CPUs from Tiger Lake and beyond or AMD CPUs Zen3 and beyond (both were release in fall 2020) are compatible with this security feature.
Note #4: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.
Rationale:
This setting stores a copy of the apps shadow stack (intended code execution flow) in the hardware-based (CPU) security feature VBS. This can prevent malware from hijacking an apps code by exploiting memory bugs such as stack buffer overflows, dangling pointers, or uninitialized variables. This allows VBS to shut down any exploit attempts via the modification of the intended code execution flow.
Impact:
This setting is dependent upon Virtualization Based Protection of Code Integrity (aka HVCI) first being enabled, in addition to CPU hardware support for shadow stacks. If either HVCI is not enabled or hardware-based shadow stacks are not supported, this setting will have no effect.
If this setting is successfully enabled, shadow stack violations will be fatal.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Enabled in enforcement modeComputer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates (and newer).
Default Value:
Not Configured.
See Also
Item Details
Audit Name: CIS Microsoft Windows 11 Stand-alone v2.0.0 L1
Category: SYSTEM AND INFORMATION INTEGRITY
References: 800-53|SI-7(10)
Plugin: Windows
Control ID: 4bdf6fe605530f062b20a6ab091487d62f0b4b97521f44f9282cd28e180b1a58