Begivenhed
29. apr., 14 - 30. apr., 19
Deltag i det ultimative virtuelle Windows Server-arrangement den 29.-30. april for at få detaljerede tekniske sessioner og live Q&A med Microsoft-teknikere.
Tilmeld dig nuDenne browser understøttes ikke længere.
Opgrader til Microsoft Edge for at drage fordel af de nyeste funktioner, sikkerhedsopdateringer og teknisk support.
Applies To: Windows Server 2025
The security feature Hardware-enforced Stack Protection was introduced to protect user mode processes and help prevent hijacking on the stack in Windows 10. Hardware-enforced Stack Protection now extends to Kernel Mode, which protects stacks in the kernel from return-oriented programming-based attacks (ROP). ROP is a common way for attackers to hijack the flow of a program's execution, and continue their attack chain to execute attacker desired code.
Now that user mode stacks are protected, and prevent return address modification from kernel mode code, attackers can't exploit memory safety vulnerabilities. Customers are already seeing how Kernel Mode Hardware-enforced Stack Protection prevents drivers associated with viruses and malware from executing their malicious payload.
Kernel-mode Hardware-enforced Stack Protection is off by default, but customers can turn it on if the prerequisites are met. This article provides more information about Kernel-mode Hardware-enforced Stack Protection, and shows how to enable the feature in the Windows Security App and via Group Policy.
With Kernel-mode Hardware-enforced Stack Protection, all kernel stacks have a corresponding shadow stack to enforce the integrity of its control flow. If attackers exploit a memory safety vulnerability, their next step is to redirect control flow of a program to an attacker's desired location.
Shadow stacks prevent control-flow hijacking. Windows uses Control Flow Guard to enforce integrity on indirect calls, and Hardware-enforced Stack Protection to enforce integrity on returns in order to protect against exploits which aim to redirect the flow of a program's execution. Control Flow Guard utilizes a bitmap to annotate valid jump targets, to prevent a compromised indirect call from redirecting control flow to arbitrary locations.
Shadow stack maintains a (hardware protected) secondary stack for all call stacks, and whenever a CALL or RET instruction pushes or pops a value onto the stack, a corresponding entry lives in the shadow stack. When a return address mismatch occurs, the system triggers a blue screen to prevent unintended program control behavior.
For more information, see the blog post on Understanding Hardware-enforced Stack Protection.
Virtualization-Based Security (VBS) and Hypervisor-enforced Code Integrity (HVCI) are prerequisites for Kernel-mode Hardware-enforced Stack Protection, you must first ensure that these features are enabled before continuing. They are autoenabled on Windows systems that meet minimum hardware requirements.
Enable VBS and HVCI with the following steps:
Open the Windows Security app.
Navigate to Device Security > Core isolation details > Memory integrity.
Toggle the feature On.
After making this change, you need to restart your device.
Open the Windows Security app.
Navigate to Device Security > Core isolation details > Kernel-mode Hardware-enforced Stack Protection.
Toggle the feature On.
For enterprise customers, Kernel-mode Hardware-enforced Stack Protection can be enabled using Group Policy.
Open the Local Group Policy Editor.
Navigate to Computer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security.
Confirm that Virtualization Based Security is Enabled.
Under Options find Kernel-mode Hardware-enforced Stack Protection. Select Enabled in enforcement mode.
Select Apply. Then OK.
There's a small set of drivers that aren't yet compatible. Drivers that exhibit potentially malicious behavior like hijacking return addresses to get around control flow policies aren't compatible, and are added to the vulnerable driver blocklist for kernel-mode hardware-enforced stack protection. After working with driver vendors to perform code obfuscation in a shadow stack compliant way, those drivers are allowed.
To provide good user experience and avoid machine blue screens, Windows maintains a known-incompatible driver blocklist for kernel-mode hardware-enforced stack protection. These are drivers that are known to hijack return addresses in the kernel. When this feature is turned on, the driver isn’t allowed to load (as opposed to a blue screen when a return address hijack is attempted). Additionally, if the system already has a driver installed on the blocklist, this feature fails to enable. You can enable this feature by uninstalling the associated driver.
The feature can't be enabled until the incompatibilities are resolved, either with an updated version from the driver vendor or by removing the application that installed the driver. To see the list of incompatible drivers, select "Review incompatible drivers".
Certain apps use drivers that are incompatible with Kernel-mode Hardware-enforced Stack Protection. For example, apps that use obfuscation engines to protect IP and obfuscate control flow, which are incompatible with shadow stacks. When the insecure driver attempts to load with this security feature enabled, you see a prompt saying "A driver cannot load on this device".
You can optionally disable the security feature, although doing so downgrades the security of your device. You can always re-enable this feature in the Windows Security application.
Begivenhed
29. apr., 14 - 30. apr., 19
Deltag i det ultimative virtuelle Windows Server-arrangement den 29.-30. april for at få detaljerede tekniske sessioner og live Q&A med Microsoft-teknikere.
Tilmeld dig nuTræning
Certificering
Microsoft Certified: Associate for sikkerhedshandlinger - Certifications
Undersøg, søg efter og afhjælpe trusler ved hjælp af Microsoft Sentinel, Microsoft Defender for Cloud og Microsoft 365 Defender.