Windows 10 was designed by Microsoft to be its most secure OS ever. To achieve this goal, Microsoft used fresh hardware features that protect users from cybersecurity threats. The security improvements were focused on three main areas: threat resistance, identity and information protection, and access control.
With thousands of malware variants discovered every year and hacking techniques constantly evolving, Windows security has never been as vital as it is today. With Windows 10, organizations finally obtain the ability to deploy threat-resistant security features that can improve an OS at the click of a button.
Windows 10 includes a number of upgrades in terms of information protection, including a DLP component. These improvements let organizations easily separate personal and business data. Unlike other DLP solutions, Microsoft has integrated the functionality deep into its Windows platform. Windows 10 has the same security capabilities that container-based solutions offer without affecting user experience.
Let’s briefly go through each of these new security features in detail to understand them better.
The security-threat landscape of today is filled with tenacious and aggressive threats – much like the real world. In earlier years, malicious attackers focused on getting community recognition from their attacks. But today, the motives of their attacks are more toward extracting money from the organizations they hack. See the movie “Blackhat,” which got hacking and hackers mostly right.
Attackers hold data and machines hostage until ransoms are paid, but they also exploit valuable information for their personal gain. Modern attacks focus more on large-scale theft of intellectual property and system degradation, which in itself causes financial losses.
Windows 10 introduces a number of security features that help alleviate modern threats and also help protect organizations. Well, unless you deliberately set up an unprotected server and computer in your basement à la Hillary Clinton. Windows 10 is one of the most malware resistant OS to date. Instead of just adding defenses to the OS as Microsoft did with earlier versions of Windows, it has introduced some architectural changes that address a whole class of threats.
By changing how the OS works, Microsoft has made it harder for modern attackers to hack systems. New features include configurable code integrity, device guard, VBS, and Windows Defender improvements. This will help protect against 95 percent of malware in the world.
This feature helps lock down devices by preventing malware from running, even if an attacker has breached the system. As Microsoft itself says, “If the app isn’t trusted it can’t run, period.” Device Guard uses the best preexisting Windows integrity-hardening features and combines them with new application-control features such as the HVCI service, which helps prevent vulnerability exploits.
Even though Microsoft intends Device Guard to run with other Windows security features such as Credential Guard, it can also run independently. Based on your client resources, you can choose the features that make sense for device compatibility and environment.
Configurable Code Integrity
This component, a part of Device Guard, verifies that the code you are running is safe and can be trusted. Like the operating modes found in Windows, code integrity has a couple of primary components: KMCI (kernel-mode code integrity) and UMCI (user-mode code integrity). This approach is very effective, but drivers are not the only way malware can penetrate your OS.
Configurable code integrity isn't limited to applications in the Windows Store. It isn't even limited to the existing applications.
Measured Boot and Remote Attestation
Even though software-based antivirus and antimalware solutions can be effective, there is no way of detecting pre-OS resource modification or infections such as rootkits and boot kits. This malicious software can manipulate client data before the OS or antimalware solutions even load. Rootkits and boot kits are almost impossible to detect with software-based solutions. But Windows 10 uses TPM and a measured boot to analyze overall boot integrity.
Measured boot on its own doesn't prevent malware from loading during start up. But it provides you with an audit log that allows trusted remote attestation servers to evaluate startup components and decide their trustworthiness. If remote attestation servers show the PC has loaded untrusted components, the management system can perform quarantine actions and block access to network resources.
Looking for another movie with hackers? In “Jason Bourne,” Heather Lee (Alicia Vikander) uploads malware onto Nicky Parsons' (Julia Stiles) USB. Whenever Parsons used the USB, her location would pop up. Very clever, Ms. Lee.
This venerable feature has been combined with Microsoft System Center Endpoint Protection. Unlike System Center 2012 R2, there's no client to deploy to the machines since Windows Defender is built into the OS and enabled by default.
Apart from simplified deployment, Defender has many other improvements, too. The most critical ones are:
- ELAM (Early Launch Antimalware) compatible: Once Secure Boot is verified and the loading OS is trusted, ELAM will start an antimalware operation before any other component.
- Local context for centralized sensory data and detections: Unlike other antimalware software and earlier versions of Defender, in Windows 10 extra information in this context is also reported for discovered threats. This information will also include threats and historical movements of the malware in the system.
- UAC (User Account Control) integration: Whenever UAC requests are made, Defender automatically scans for threats before prompting users. This helps prevent them from providing privileges to malware.
- Simplified management: With Windows 10, you can easily manage Windows Defender. Settings can be changed through Intune, Group Policy, or the Configuration Manager.
Many companies have mitigated credential theft risks with the help of 2FA. This method makes the log on process harder by adopting a combination of something you know, something you have in your possession, or something unique about you. The additional factor usually requires a physical device or the user to be present.
With Microsoft Passport, there's a strong 2FA mechanism that has been directly integrated into Windows. Many organizations are already using 2FA but don't integrate it with their enterprise because of the cost involved. They typically use it for securing VPN connections.
But Passport is unlike other 2FA forms because it has been designed specifically to address the costs, complexity, and user-experience challenges of regular 2FA solutions. This is why it is simpler to deploy throughout an enterprise even with existing devices and infrastructure.
Passport can also use biometric information collected by Windows Hello. When users register devices and use Windows Hello to log in, Passport's private key fulfills all subsequent requests for authentication. This combines the flexibility of virtual smart cards and the security of physical smart cards without any extra infrastructure components.
With all these new security options added to Windows 10, now you can relax. A little!