Life gets a lot better when you start running Win10 security.
IE: Win10 can run the password manager service on a separate VM now automatically. Hell, you can start new version of Microsoft Edge in a clean and isolated VM, requiring the attacker to use a hypervisor zero-day to pwn your box. And since the Microsoft Hyper-V hypervisor is often running through UEFI secure boot with assistance of the TPM modules on the motherboard, and because the Hypervisor has very few services running (really: any service is in its own VM), its a much, much harder attack surface to go through.
Security features that add convenience (ie: group policy allows admins to automatically open websites in "Application Guard" mode) helps a lot. When the user literally only has to wait ~5 to ~10 seconds to boot up a clean version of IE isolated inside of a VM (separated in a RDP session), its much easier to have widespread security throughout a network.
I mean really: think about the security model needed to pwn AppGuard + IE. You either need to pwn the RDP session (unlikely, but hey its possible). Or, you figure out how to escape an isolated VM, when said VM has virtually all applications locked out. I saw a security demo of AppGuard recently. You can't run cmd.exe, you can't run powershell, you have zero permissions inside of your VM. If you somehow escape the sandbox, you STILL have to break through a hypervisor to get to the user.
Its way, way WAY easier to do "proper security" with Win10 + all of the virtualization tricks (AppGuard, Credential Guard, Device Guard). The modern Win10 security model is beginning to be immune to even kernel-mode exploits.
-----------------------
With that being said: WinXP has security problems with modern Win Vista+ because that's the edition where Microsoft decided that direct-hardware access is a BAD IDEA for standard usermode applications.
WinXP allows any user-mode application to directly talk with the hardware. Win Vista+ does NOT allow it. And that broke a ton of programs (old controller hardware, printer drivers, etc. etc.)
IE: Win10 can run the password manager service on a separate VM now automatically. Hell, you can start new version of Microsoft Edge in a clean and isolated VM, requiring the attacker to use a hypervisor zero-day to pwn your box. And since the Microsoft Hyper-V hypervisor is often running through UEFI secure boot with assistance of the TPM modules on the motherboard, and because the Hypervisor has very few services running (really: any service is in its own VM), its a much, much harder attack surface to go through.
https://blogs.windows.com/msedgedev/2016/09/27/application-g...
Security features that add convenience (ie: group policy allows admins to automatically open websites in "Application Guard" mode) helps a lot. When the user literally only has to wait ~5 to ~10 seconds to boot up a clean version of IE isolated inside of a VM (separated in a RDP session), its much easier to have widespread security throughout a network.
I mean really: think about the security model needed to pwn AppGuard + IE. You either need to pwn the RDP session (unlikely, but hey its possible). Or, you figure out how to escape an isolated VM, when said VM has virtually all applications locked out. I saw a security demo of AppGuard recently. You can't run cmd.exe, you can't run powershell, you have zero permissions inside of your VM. If you somehow escape the sandbox, you STILL have to break through a hypervisor to get to the user.
Its way, way WAY easier to do "proper security" with Win10 + all of the virtualization tricks (AppGuard, Credential Guard, Device Guard). The modern Win10 security model is beginning to be immune to even kernel-mode exploits.
-----------------------
With that being said: WinXP has security problems with modern Win Vista+ because that's the edition where Microsoft decided that direct-hardware access is a BAD IDEA for standard usermode applications.
WinXP allows any user-mode application to directly talk with the hardware. Win Vista+ does NOT allow it. And that broke a ton of programs (old controller hardware, printer drivers, etc. etc.)
Fixing security issues causes compatibility problems.