Get started Bring yourself up to speed with our introductory content.

A first look at Windows 10 security features

In a preview of Windows 10 security features, expert Michael Cobb discusses three improvements that will boost enterprise security.

Windows 10 is scheduled for release at the end of 2015. It will be Microsoft's first operating system that works...

on all types of devices, including Windows PCs and mobile devices.

Running a single OS throughout an organization can introduce immediate security benefits by greatly simplifying device management while reducing the overall attack surface.

In other good news, Windows 10 will also introduce new features to strengthen authentication and data protection. This will appeal to enterprises looking to eliminate the use of passwords and protect corporate data in the era of BYOD.

In this tip, I will discuss three big security improvements that could make or break the deal for enterprises considering a Windows upgrade.

Windows 10 multifactor authentication

One heavily touted feature in Windows 10 is its built-in multifactor authentication. The authentication scheme is based on the open standards from the FIDO Alliance and will remove the need for extra security hardware peripherals such as smartcards and tokens. Once enrolled, a device becomes one of two factors that are required for authentication. This reduces the viability of phishing attacks as an attacker would need not only the user's PIN or biometric information, but also physical access to their device. This also protects users when breaches occur in password databases -- another common tactic hackers use to gain unauthorized access.

With Windows 10, a device's credential can either be a key pair generated by Windows, or a certificate provisioned to the device from an in-house PKI infrastructure. Active Directory, Azure Active Directory and Microsoft Accounts will all support this new form of authentication. Once a user has been authenticated, his or her access token will be stored within a secure container running on top of Hyper-V technology. This safeguard prevents tokens from being extracted from devices through techniques such as pass the hash or pass the ticket, which enable an attacker to impersonate a user without actually  obtaining their credentials.

Windows 10 data loss prevention

By making security easier for administrators to implement and simpler for employees to use, Windows 10 should prove popular with enterprises.

Increased protection of corporate data is another important feature of Windows 10. BitLocker has been providing full disk encryption since it first appeared in Windows Vista, but extending that protection once data leaves a device -- data loss prevention (DLP) -- has become vital with the increased use of mobile devices in the workplace. Azure Rights Management services and Information Rights Management in Microsoft Office already provide protection when data leaves a device, but they require the user to opt-in to activate the protection. With Windows 10, organizations can not only define which apps have access to corporate data, but also prevent data from being copied or accessed without the correct security profile, regardless of whether it is in transit or located on another device. Windows will provide this protection by using containers and corporate and personal data separation at the application and file level, automatically encrypting information as it arrives on the device. The fact that there's no need for users to switch modes or use special apps in order to protect corporate data overcomes the big problem of user indifference to security.

Application access controls

Managing BYOD environments also means secure access to network resources is an important priority for many enterprises. Windows 10 enables administrators to specify which apps are and aren't allowed to access the organization's VPN. Access can also be restricted based on ports and IP addresses. Additionally, administrators can configure devices so only trustworthy apps can be installed on them, including apps self-signed by the enterprise, from approved software vendors, or apps from the Windows Store. The aim is to make it easier to lock down mission-critical or sensitive devices to protect them against malware infections while giving more flexibility to other groups of users.

These three key new features can reduce the need for certain third-party products such as DLP and two-factor authentication, but enterprises will still have plenty of flexibility in the security controls they use. Windows 10 can hook into most mobile device management products and VPN infrastructures. Windows Server 10 will even include Windows Defender, although most enterprises will still want to run a dedicated antivirus and antimalware product at the network gateway and on critical devices.

By making security easier for administrators to implement and simpler for employees to use, Windows 10 should prove popular with enterprises and attract business adoption from those still running Windows 7.

Unified deployment and management and a universal app platform and security model will immediately free up time for system administrators and deliver better overall security. For any large enterprise, it makes sense to allow some IT staff to join the Windows Insider Program in order to have the opportunity to check out the new security features in Windows 10 and assess their suitability and usability prior to its public release. Enterprises should ensure analysts experiment with test devices, though, as Microsoft collects a lot of information from the devices running the preview version.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website http://www.hairyitdog.com offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security and has written many technical articles for leading IT publications. Mike has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).

Next Steps

Join the discussion on Windows 10.

Check out the latest on Windows 10's effect on Windows phone adoption and desktop virtualization licensing rights in Windows 10.

Windows opportunity: Partners to sell more devices around Win 10

A look at the Windows 10 user experience

This was last published in January 2015

Dig Deeper on Microsoft Windows security

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Is Windows 10 in your enterprise's future? Which security control do you look forward to implementing?
Cancel
We do not plan to upgrade all of our workstations to Windows 10 but we will be testing it for a few of the new enterprise options like credential protection, lockdown, and the new deployment options like wipe-and-load. The ability to wipe and load will save us time when we need to provision a used workstation for new employees or as hardware upgrades. Credential protection will work along with the identity management solution used.
Cancel
The two-factor authentication, though not a silver bullet, could be reliable when it comes with a reliable password. 2 is larger than 1 on paper, but two weak boys in the real world may well be far weaker than a toughened guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized that a truly reliable 2-factor solution needed for important accounts requires the use of the most reliable password.
Cancel
"Once enrolled, a device becomes one of two factors that are required for authentication. This reduces the viability of phishing attacks as an attacker would need not only the user's PIN or biometric information, but also physical access to their device. "

Wow I see that only working if some really smart person doesn't find a way to spoof that part, or to somehow sniff it on the network.  I mean if that identity is being transmitted to verify you just have to wonder.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close