Windows 10 has introduced a range of new security features to combat some of the issues faced by previous Windows operating systems. Here we run down on the top features available for your protection
Malware Protection
Device Guard, the primary tool for fighting malware in Windows 10, only allows users to download trusted applications that have been approved by the Windows Store or specific, trusted vendors. The tool also grants IT admins the power to sign and approve any apps Microsoft or a software vendor did not. It is essentially a form of app whitelisting, where IT determines which apps are safe for the business.
If a user tries to download an app that isn’t on the list, Device Guard will stop them and admins can let the user know it’s not approved. To bolster their defense even more, IT admins can limit which apps can access the corporate virtual private network (VPN) based on the port or IP address.
The major limitation with Device Guard is its tamper-proof design which might not leave admins with the amount of control and flexibility to make adjustments they would like.
Multifactor authentication
Windows 10 takes DLP up a notch to address concerns associated with users who are constantly moving data from device to device.
Multifactor authentication bolsters security by requiring at least two forms of identification to log in to a computer or profile. One form of authentication could be a password, but the user also has to enter a PIN or use biometric technology to log in. Windows Hello is Microsoft’s biometric hardware and can recognize a user’s face, iris or fingerprint. Microsoft Passport, which features asymmetric cryptography, adds biometric authentication to Microsoft Edge.
In Windows 10, a mobile device can work as one of the forms of authentication with a key pair from Microsoft or a PKI certificate provisioned in-house. Both can authenticate the device and associate a security token with it. The token is stored using Hyper-V technology in a secure container. Hackers cannot impersonate the user with a pass-the-ticket attack and access the token. And even if a hacker has a user’s password, he would still need the user’s actual mobile device to gain access to the network.
Enhanced data loss prevention
Windows operating systems have used BitLocker encryption for DLP as far back as Vista. Windows 10 security features take DLP up a notch to address concerns associated with users who are constantly moving data from device to device. If a user does not have the correct security profile IT admins can use containers to limit which apps can access corporate data. They can also put restrictions on what information can be copied while the data is transferring from one device to another.
The containers keep corporate and personal information separate at the app and file level, and even encrypt data automatically when it goes onto a device. And users don’t have to switch modes or apps to keep data safe. In fact, they don’t have to do anything, so IT admins don’t have to worry about users ignoring security policies.
Microsoft Edge
Internet Explorer’s (IE) security holes – from the most basic browser vulnerabilities to common attacks such as distributed denial of service and bypass – are well documented. Microsoft is trying to plug up the gaps by focusing on stopping phishing and browser hacking in its new Web browser on Windows 10 known as Edge. For example, Edge HTML fights against phishing by stopping cross-site scripting attacks with the World Wide Web Consortium standard. HTTP Strict Transport Security provides secure connections to each website. Other antiphishing features include Microsoft SmartScreen, which blocks access to malicious sites and Microsoft Certificate Reputation, which prevents access to sites with fraudulent certificates.
Microsoft has taken steps to stop browser hacking by making its code more resistant to attacks by completely redesigning its document object model. Vulnerable extensions such as VML, VBScript and Toolbars are out in favour of HTML5. Edge also runs as a 64-bit process on 64-bit systems. As a result the address space is much larger than in IE, so address randomization is much better, which makes it harder for attackers to pinpoint where to strike.
And a few other notable Windows 10 security features …
In Windows 10, IT admins can use Azure Active Directory instead of Microsoft Accounts to handle their Active Directory and still access the Universal apps platform without sacrificing any internal policies. Windows 10 also extends the managed VPN policies from Windows 8.1 to any third-party VPN vendor and includes individual desktops and Universal apps. The policies can all be managed by a mobile device management platform. Microsoft Advanced Threat Analytics detects anomalies with an internal view of the Active Directory.