Windows 10: more secure than ever
- Posted on July 24, 2015
This is a guest blog post written by Avanade alum, Nils Woensel.
In the last couple of years lots of Fortune 500 companies were infiltrated and had their data stolen, while the breaches remained undetected. Data leaks also happen from within, through their own employees. Stroz Friedberg* reports that 58% of senior managers have accidentally sent sensitive information to the wrong person. To prevent this from happening, Microsoft has improved Windows 10 with various new security features, focusing on 4 major subjects.
Microsoft tightens the screws with Windows 10 by giving manufacturers a choice to remove the option to disable EUFI secure boot, while enabling secure boot for Windows mobile devices. As a result, the devices can only be run by an approved and assigned OS by Microsoft.
Windows Hello replaces weak password protection with biometric authentication by face recognition, iris scan or fingerprint. Microsoft Passport creates a unique asymmetrical key that Windows 10 can generate, and stores this in the Trusted Platform Module (TPM). Your device will then be used as a virtual smartcard, instead of using expensive PKI infrastructure. This ensures a two factor authentication where your device is the tangible factor and the pin something you know. Microsoft Passport integrates with other services and platforms, and logs you on without passwords being sent over the wire.
With Device Guard you are better protected against Advanced Persistent Threats. According to the Windows Defender Team, 96% of malware is unsigned software. Device Guard checks the code integrity of the software using kernel mode code integrity in a virtual secure environment which is powered by Hyper-V and isolated from the Operating System. Even with a compromised system you cannot run unsigned software. Next to that, your user access tokens will be saved in the secure environment as well, preventing attacker techniques such as ‘Pass the Hash’ attacks. With these attacks, the attacker has access to resources by impersonating the user’s identity without the need to know the user’s actual credentials.
Enterprise Data Protection is a default feature in Windows 10 enabling containerization techniques that separates corporate data and your personal data, even within the same folder on your device. Your corporate documents will be automatically encrypted and on top of that you can enable Microsoft RMS with sharing protection to securely share your corporate data. The encryption and rights travel with the storage system, so copying corporate data to USB or external cloud services like Dropbox won’t compromise the encryption.
The improved security features that come with Windows 10 are easy to use and ensures optimal protection of your assets. I would definitely recommend using them in this mobile first, cloud first world.
This article was first published on LinkedIn.