Security features enticing the enterprise to migrate to Windows 10

See AMP Version

Notice: Undefined offset: 1 in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 175

Notice: Undefined offset: 1 in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 175

Notice: Undefined variable: style in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 149

Notice: Undefined variable: wplinks_image in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 149

Notice: Undefined offset: 1 in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 175

Notice: Undefined offset: 1 in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 175

Notice: Undefined variable: style in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 149

Notice: Undefined variable: wplinks_image in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 149

Notice: Undefined offset: 1 in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 175

Notice: Undefined offset: 1 in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 175

Notice: Undefined variable: style in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 149

Notice: Undefined variable: wplinks_image in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 149

Notice: Undefined offset: 1 in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 175

Notice: Undefined offset: 1 in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 175

Notice: Undefined variable: style in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 149

Notice: Undefined variable: wplinks_image in H:\root\home\emalayamm-001\www\analystik\blogue\wp-content\plugins\wp-links\wp-links.php on line 149

Damage from security attacks are all over the news and here comes Microsoft boasting unprecedented protection from malware and advanced security threats with security features more than convincing for the enterprise to migrate to Windows 10, such as Windows Hello, Microsoft Passport, Windows Information Protection, Device Guard and Credential Guard.

Although everyone will agree that Windows 7, the most successful OS in Microsoft history, has served enterprises well for the last five years, it doesn’t offer adequate protection features needed to face today’s security threats and, nor will third-party products.

New challenges require new abilities or at least, a new vision; having doubts, just chat with IT executives who are still running Windows XP for which Microsoft is no longer offering security updates as of April 2014.

Here are security features convincing enough for the enterprise to migrate to Windows 10:

IDENTITY PROTECTION

Today’s multi-factor solutions are often cumbersome and costly to deploy if your computer fleet is bulky.

Microsoft Passport is an easy-to-use and easy-to-deploy, multi-factor, password alternative that you use to securely authenticate to other network locations; it works with your enterprise Active Directory or Azure Active Directory.

 

Phishing attacks on users’ passwords are increasingly successful and enterprises should be worried.

So, Windows Hello uses biometrics to provide a more secure way of accessing your device, Microsoft Passport, apps, data, and online resources. Windows Hello is Windows 10’s attempt to get rid of passwords which are often stolen and reused. Hello supports three methods of biometric authentication (facial, iris, and fingerprint) in concert with a simple PIN.

 

Persistent attacks rely on the ability to steal domain and user hashed credentials to move around the network and access other computers in “pass-the-hash” attacks, and evade detection.

Credential Guard protects corporate identities by isolating them in a hardware-based virtual environment. Microsoft isolates critical Windows services in the virtual machine to block attackers from tampering with the kernel and other sensitive processes. Also, Microsoft Azure Active Directory provides a comprehensive identity and access management solution for the Cloud.

 

DATA PROTECTION

BitLocker used to offer optionally configurable disk encryption but BitLocker is much improved in Windows 10 security, it is now highly manageable and can be automatically provisioned on most new devices. Any user who backs up confidential data on his device should create an encrypted partition with BitLocker.

 

Data Loss Prevention (DLP) requires the use of additional software and frequently, third-party capability. Windows Information Protection addresses the needs for DLP, it includes a deeply integrated data separation and containerisation solution, and provides encryption at the file level.

 

On the other hand, DLP solutions often compromise the user experience in the interest of security, resulting in low adoption and varying experience between the desktop and mobile devices.

Windows Information Protection provides a seamless user experience across mobile devices and the desktop, and it is integrated with Azure Active Directory and Rights Management Services.

 

THREAT RESISTANCE

Before, all apps were trusted until they were determined to be a threat or were blocked. Device Guard offers protection on the desktop that is similar to lockdown on a mobile platform (full app lockdown). « Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel. Device Guard is included in Windows 10 Enterprise and Windows Server 2016. »

 

With more than 300,000 new threats per day, blocking them through detection is a losing battle. With Device Guard, an application must prove itself to be trustworthy before it can be run.

 

Windows 7 provides a series of defense solutions but too many malware threats impact users before detection-based antivirus solutions can catch up.

Device Guard will be the most disruptive malware-resistance capability Microsoft has ever shipped in the desktop. Device Guard relies on Windows 10’s virtualization-based security to allow only trusted applications to run on devices.

 

DEVICE SECURITY

Platform security is based entirely on what software can do on its own, and once infected there is no assurance that system defenses can perform their function and remain tamper free.

Hardware-based security and the level of trust it offers helps to maintain and validate hardware and system integrity.

 

Malware can hide within the hardware or in the OS itself and there is no way to validate integrity once it has been compromised.

UEFI Secure Boot helps prevent malware from embedding itself within hardware or starting before the OS (bootkits / rootkits). Trusted Boot helps maintain the integrity of the rest of the OS.

 

CONLUSION

New security challenges require new security features; many may argue that Windows 10 security provides those much-needed new security features for the  enterprise. Although, they come at a cost, one must never underestimate the cost of a security breach!

Incidently, in our opinion and considering the threats, these security features certainly are certainly enticing enough for any enterprise to migrate to Windows 10.

For more information on how to implement these, Microsoft has published technical guides for both Device Guard and Credential Guard.

 

Denis Paul & Michel

Source: Microsoft, InfoWorld

Leave a Reply

Your email address will not be published. Required fields are marked *