momius - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Windows 10 security fixes longtime OS vulnerabilities

Windows 10 security incorporates years of improvements to remove or mitigate long-term issues with Windows vulnerabilities.

Reasonable people may disagree over when or how to upgrade to the newest iteration of Windows, but Microsoft says it takes security seriously in Windows 10. How seriously? One quick way to gauge is with a look back to issues like unsafe file sharing and lack of security tools such as firewall, malware protection and encryption, that our frequent contributor Kevin Beaver raised here in 2008 -- and then compare them with the current state of Windows 10 security.

Some of the most common Windows vulnerabilities had already been vexing security experts for years. Now that Windows 10, a.k.a. "the last version of Windows" is gaining traction, it's time to revisit those gripes and groans to see how well Microsoft has addressed them -- or even whether it should.

File and share permissions that give up everything to everyone

Microsoft made it so easy to share files with Windows XP that users who misconfigured their systems often discovered that snoopers on public Wi-Fi networks had full access to all their data. Even though the security solutions to these Windows vulnerabilities seemed simple, the problem followed into Windows Vista and persisted with file sharing issues in Windows 7 and beyond.

"Users who create shares to make their local files available across the network are typically the culprits," wrote Kevin Beaver here in 2008. "Sometimes it's careless admins; other times they're honest mistakes. Unfortunately, all too often the 'Everyone group' is given full access to every file on the system."

Poor decisions are harder to make with new Windows 10 security features that include multiple warnings before exposing shared files on untrusted networks. Furthermore, the default file sharing permission is set to give access only to authenticated Windows users on the host system, and default access is read-only.

Even so, mistakes will likely continue to be made. According to Wes Miller, research analyst at Directions on Microsoft, "If a user misconfigures their system -- makes poor decisions, they can accidentally put themselves at risk. There's only so much Windows can do there to prevent that."

More important, better data security tools are now available as part of the Windows stack, including Bitlocker encryption and the Azure Rights Management System. According to Miller, "Azure Rights Management and encryption overall can protect information from falling into the wrong hands -- even if it is leaked (intentionally or not)."

Lack of antimalware and firewall protection

In 2008, Beaver found "antivirus and antispyware software both disabled and not installed at all with no one being aware of the problem," as well as a "lack of personal firewall protection … another basic security control that's still not enabled on many Windows systems."

Many of those vulernerable Windows systems were likely unpatched versions of XP or older. Microsoft did include personal firewall protection with Windows XP -- but it had to be turned on by the user until finally, after the Blaster and then Sasser worm attacks, Microsoft switched it on by default in XP SP2 (2004). Even then, Windows Firewall only protected inbound connections, and due to filtering issues in enterprise networks many organizations opted to delay rather than deploy it.

Lessons were learned, though, and Microsoft leveled up with the Windows 7 version of Windows Firewall, starting with turning off network discovery in public networks and providing tighter integration with the OS as well as adding improved controls for small shops and enterprises. With the improvements delivered in Windows 8, some third-party firewall vendors even began piggybacking their own products on the base firewall module rather than attempting to duplicate its features on their own.

Microsoft went through a similar evolution with Windows Defender, originally offered as an antispyware add-on for Windows XP that expanded into antimalware and evolved into the improved Windows 8 version.

Windows Defender and Windows Firewall both ship enabled out of the box with Windows, and turning them off -- on purpose or by mistake -- has been made more difficult.

Miller said, "Built-in firewall and antimalware are sort of the baseline now -- and there are alternatives that both build on them and others that replace them. The firewall has continued to improve ever since it shipped first in XP, and is ever more important in a world where a lot of the networks we connect to are hostile."

Weak or nonexistent drive encryption

Microsoft Bitlocker for full-disk encryption has been shipping with Windows since Vista and Windows 7, but at first it was available only in the higher-end Windows Ultimate or Enterprise SKUs. With Windows 10, everyone gets Bitlocker. Over the years, Bitlocker has gained significant acceptance, even when compared to other full-disk encryption products.

According to Miller, "Drive encryption is now available across Windows -- which is hugely important, and can help businesses make the right decision about securing their data."

Bitlocker has evolved beyond full-disk encryption to the point where it now can be used for locking down removable drives as well as full-device encryption for mobile devices, and tools are available for managing Bitlocker deployment in the enterprise and encrypting volumes on Windows servers.

Missing patches in Windows as well as third-party software

Say goodbye to "Patch Tuesday" and hello to Windows Update, or "hello, again." Windows Update has been around since Windows 98, the success of which Microsoft attributed in part -- USB support and Internet Explorer were important too -- to the existence of the Windows Update website.

The patch problem is even addressed for updating enterprise Windows systems. "The Long Term Servicing Branch gives an option to businesses which either have a known requirement that new features not show up unannounced, or just need a set baseline for 10 years of support -- ideal for point of service or other mission critical systems. Current Branch for Business gives organizations a bit of slack to ensure they can and do test updates when they arrive against their software and services. Windows Update for Business is evolving to be the mechanism for managing that," Miller said.

Enterprise IT departments will also be able to delay general distribution of updates to allow testing for compatibility with legacy applications and the enterprise environment.

As for the third-party vendors pushing updates automatically, it's happening for some but not others –and there's nothing Microsoft can do about it. Google started pushing Chrome updates automatically in 2011, and Microsoft followed suit for Internet Explorer in 2012.

Weak Windows security policy settings

In 2008, Beaver decried shortcomings in default Windows policy settings: "Audit logging that is not being enabled for failed events, no password-protected screensavers, not requiring Ctrl+Alt+Del for login, not requiring password complexity and displaying the last user name that logged in." He continued, "Policies to control these issues are easy to implement locally on each Windows system for smaller Windows shops not running Active Directory. It's even easier for larger enterprises via Active Directory Group Policy."

Have things changed? Yes, but this is not necessarily an area where Microsoft has the most control control over Windows vulnerabilities. "Microsoft tries hard to ship good policy settings in the box -- many of them differ depending on whether a system is joined to an Active Directory domain or not -- but if an organization wants tighter policies, they can provision them as such," Miller said.

Weak or nonexistent passwords

The problem with passwords is that to be effective, they have to be strong -- but if they're strong, they're not effective because users have trouble using them.

Beaver wrote in 2008, "I can't tell you how many systems (especially Windows laptops) I see that do not have a password assigned to the Administrator account or the default user's password is the same as the username. The password problem has been around since the dawn of time, so there's no excuse for this one."

These days, many experts are suggesting that it's not weak passwords or bad users but passwords themselves that are at fault, and the solution is to dump them for some form of two-factor authentication that includes a biometric factor.

According to Miller, "Within the next five years, between Touch ID on Apple devices and Hello on Windows devices, we're going to see the password disappear and it's not going to be the concern it once was."

That is exactly what Microsoft is championing, especially for the enterprise, with Microsoft Passport, which is the piece that does the authentication, and Micosoft Hello, which is the part that handles the biometric portion. The problem is that two-factor-capable hardware is not yet the standard.

Miller suggested adapting a near term strategy of understanding how Microsoft Passport "helps manage your identity across the Web," but with the longer term goal of using "Microsoft Hello as the hardware to take advantage of as it becomes more commonplace."

Windows Mobile and other mobile device weaknesses

In 2008, the state of Windows mobile security was a big mess: minimal tools for device management and administration, weak or no authentication, lack of encryption but plenty of storage space available on the devices and spotty patch control and system updates.

Things are much better now. "Microsoft has a much better story for how you secure mobile devices today than they did back in that era when it would have been really just Exchange and ActiveSync as the only options for securing those devices from Microsoft," Miller said.

With Windows 10, Miller said, "you've got the ability to protect content when it's on a device, wipe content if the device is lost -- without wiping the user's content."

Now, mobile device management is increasingly an important part of any enterprise Windows security toolbox, though it may come at a price of buying into new services, in particular the Enterprise Mobility Suite, according to Miller.

Rogue systems running unknown, and unmanaged, services

In 2008, Beaver said, "Legacy Windows systems that aren't within the scope of enterprise security and compliance." These systems were put in place and left to do their job, without any oversight or support or patches -- and even if they weren't discovered and subverted by attackers, they can still cause more trouble than they are worth. They can be near impossible to root out as there is no easy or simple way to find them all.

While many, perhaps most, of the old, unhardened and unpatched Windows 98, NT and 2000 systems have been excised from the enterprise, old and unsupported Windows systems are more the responsibility of the enterprise to root out and replace rather than a problem that Microsoft can solve.

Some things never change

Change may be universal, but some things never change. Many security vulnerabilities from the past are locked up in Windows 10, but the bottom line today remains the same as it was in 2008, as Beaver wrote then:

"The bottom line is to know what's on your systems and what can be done with your systems. This is the recipe for a secure Windows environment."

Next Steps

See how smart you are about Windows security features.

Think you're ready for Windows 10? See why it might not be right, yet.

Learn whether Cortana on the enterprise desktop makes sense.

This was last published in October 2015

Dig Deeper on Web security tools and best practices