Windows 10’s new security features for business
Peter Egerton is a Microsoft System Center Consultant for Inframon Ltd. He travels the UK designing, implementing, supporting and training on the Microsoft System Center product range. I’ve been an IT Pro for 14 years and in my spare time I am a Community Leader for the Windows Management User Group (WMUG).
So Windows 10 is now out in the wild and millions of people worldwide are already using it - dare I say, quite happily. Now obviously the take up for businesses will be somewhat slower. There is far more to consider not only in the deployment, but the return on investment of both time and money; whether they will actually gain anything from making the move to 10. One of the big selling points for Windows 10 is the enhanced security features, developed to tackle the modern day challenges that simply weren’t around in the days of Windows 7 or 8. Let’s take a look at the headline security features first.
Windows Hello
Windows Hello is essentially an alternative to using passwords to log into your device. We all know it’s easy to forget a password and difficult to keep them unique for all our logins; I’d be lying if I said I hadn’t seen passwords written on sticky notes before now. Windows Hello uses biometrics to log in and includes finger print, iris and facial recognition. Hello replaces the need for a password to log in, which is both more secure and harder to forget. A PIN is generated which is backed by your biometric information; this is more secure as these are valid for your device only. If someone acquires your finger print for example it won’t work on another machine as the authentication is local and your biometric information isn’t going over the wire. To use the facial and iris recognition you will require a camera with the Intel Realsense technology which was developed with CreativeLabs. This is essentially a camera with an HD lens, an infra-red lens and an infra-red sensor which together scans your face in 3D so you can’t use a photo to trick it. These cameras are available on a small number of devices already but will become more widespread as it was developed specifically to be cheap and amenable to all.
Microsoft Passport
So here’s the second part of the puzzle – Passport. How many times have you heard news stories about leaked passwords scraped from a server? What if there were no passwords to be leaked? Windows Passport verifies you are using a device on initial set up and then authenticates for you without sending a password up the wire. This adds the device itself as component of the authentication mechanism which is somewhat harder to steal from thousands of miles away. Think about using this in combination with thousands of Azure AD services and then combine this with Hello and it starts to get the cogs turning. Microsoft has joined the FIDO alliance with an ultimate aim of moving away from and creating alternatives to password authentication which can only be a good thing in my mind.
Device Guard
The final headliner is Device Guard. This new Windows 10 feature allows you to lock down exactly what applications can run on a device. I know what you’re thinking – AppLocker, well no not quite it’s more than that. Applocker simply restricts certain applications running by process name, Device Guard actually locks the machine down to only trusted applications which you have signed. Device Guard uses something called User Mode Code Integrity (UMCI) which ensures applications run in user mode and not kernel mode thus separating the process from the underlying kernel of the operating system, not a new concept but Device Guard can run as a virtualisation based service which keeps the operating system kernel separate from the application therefore reducing the risk of attack against the operating system. It can also utilise the TPM chip on your device to store sensitive information which in a similar manner to Passport uses the hardware itself as a link in the chain. All round I think you will agree this is a much improved approach to locking down a device and limiting the attack surface.
What else?
So that’s the headliners covered but when you start to combine these new features with other pieces of the puzzle it makes quite a compelling argument and shows Microsoft are serious about security. Take Windows update for example – the thing your users love to hate. No longer will we be looking at a patch Tuesday update cycle which can leave your machines with known published vulnerabilities whilst you test them out and the baddies figure out how to exploit it. Updates will come as and when they’re ready, you can still approve and assess them but there’s no waiting around whilst Microsoft bundle them together and hit a deadline which I also suggest may lend itself better to quality updates. Microsoft Edge which is the new web browser and also part of Windows 10 also has some security considerations put into it by reducing the extension support which frequently bring with them certain vulnerabilities. Throw some Azure Rights Management and single sign on into the mix and look at the bigger picture and not only do you have a pretty robust line up but also a more user friendly method of authenticating and keeping your devices and data secure.
For more information on any of these technologies hit the links below: