Windows Enterprise Desktop

Oct 27 2014   10:12AM GMT

Windows 10 Strengthens Inbuilt Security

Ed Tittel Ed Tittel Profile: Ed Tittel

Tags:
Windows 10
Windows Security

Last Friday, two interesting and complementary blog posts appeared, each with its own discussion of security in the latest Windows 10 Technical Preview version. The first comes from Microsoft itself, in a post by Jim Alkove for the Windows for Your Business blog, entitled “Windows 10: Security and Identity Protection for the Modern World.” The second occupies a significant portion of Paul Thurrott’s mind-bending Windows SuperSite article entitled “Windows 10 is the Most Audacious Release in the History of the Platform.” This is pretty strong stuff, and will take a little time to work your way through. Hopefully, the summary that follows will give readers the impetus to do just that.

lock

It is too facile to say that Windows 10 locks things up from a security perspective, though it certainly adds and extends protection at many levels.
Source: Shutterstock 210211225.

The MS blog post raises the following issues:

  • Windows 10 is intended to “move the world away from the use of single factor authentication options, like passwords.” Once mobile devices are enrolled, they become one of two factors required for authentication, where the second factor could be a PIN or a biometric (e.g. a fingerprint). This lets a user’s smartphone vouch for his PC and requires attackers to compromise two devices to mount a successful attack. MS describes this functionality as allowing a mobile device to “…behave like a remote smartcard and it will offer two factor authentication for both local sign-in and remote access.” It works with existing PKI infrastructures, and with Active Directory, Azure Active Directory, and Microsoft Accounts. MS is also taking steps to protect user access tokens created upon authentication from attack by storing them in a secure Hyper-V based container.
  • Windows 10 will build “robust data loss prevention right into the platform itself.” This involves use of strong encryption technologies from BitLocker, Azure Rights Management, and Information Rights Management in MS Office, but adds DLP technology “that separates corporate and personal data and helps protect it using containment…” so that there’s “… no need for … users to switch modes, or apps, in order to protect corporate data, which means that users can help keep data safe without changing their behavior” (emphasis mine). This applies equally to mobile devices running Windows Phone and to other devices (also possibly mobile) running Windows. VPN control options for remote access are also extended and improved, including “app-allow and app-deny lists” as well as controls aimed at “specific ports or IP addresses.”
  • “When it comes to online threats, such as malware, we’ll have a range of options to help enterprises protect against common causes of malware infection on PCs.” This includes options for device lock down, mechanisms to allow users to install only trusted apps (though MS provided signing services) that covers “anything that can run on the Windows desktop” for both mobile and desktop devices and PCs.

Thurrott follows up with his own salute to security improvements, including:

  • Use of Azure Active Directory (AAD) instead of Microsoft Accounts (MSAs), which “enables corporations to federate their on-prem Active Directory with AAD and continue using the Universal apps platform and other features that required an MSA in a way that respects their internal policies” (emphasis mine).
  • Integrate multi-factor authentication more deeply into the platform (ties into the use of mobile devices as what Thurrott labels as “virtual smart cart technology” through use of mobile devices as explained above).
  • Information protection is another way of describing data loss prevention (DLP), which Thurrott views as an “evolution of the rights management technologies Micrsofot has been working on for over a decade…”
  • Secure remote access, which Thurrott explains as an “evolution of the managed VPN technologies that debuted in Windows 8.1 and Windows Phone 8.1” which he sees as “extend to individual desktops and Universal apps (per-app VPN) and managed via MDM” (Microsoft Device Management) and made “available to all third-party VPN providers.”

The MS post conveys all the key points, but Thurrott is better at estimating their impact on enterprises and organizations that will deploy the new OS sooner or later (probably later, if history is any guide, though these new features may actually provide a real impetus for businesses to speed things up, somewhat). Good stuff!

2  Comments on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • JustinWilson07
    Never been a big fan of Win 10, I would rather stick with Windows 7, as I have been used to it and also the fact that you are never secure online, so doesn't make that much of a difference to me.
    2,465 pointsBadges:
    report
  • Ed Tittel

    I believe you're entitled to your opinion, and to your choice of desktop OS. But sooner or later, Win7 will shuffle off the scene, and then what? I jumped sooner (mostly because it's part of what I do for a living) and you'll jump later. Will it be to another Microsoft OS? What do you think?

    Thanks for your comment,

    --Ed--

    13,780 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: