News Stay informed about the latest enterprise technology news and product updates.

Windows 10 security features may force hardware upgrades

Windows 10 security features include hardware-based application whitelisting and facial recognition technology. What could go wrong?

Windows 10 will support biometric authentication and hardware-based application whitelisting to help IT pros lock down devices – both positive steps for data security.

However, those Windows 10 security features would require hardware upgrades for many companies and the application whitelisting feature may also involve a significant amount of work for IT.

Device Guard in Windows 10 protects devices from malware variants and Advanced Persistent Threats (APT’s) by blocking untrusted apps. Trusted apps are signed by specific software vendors, the Windows Store, or the IT department. It comes with tools to sign Universal Apps (or Win32 apps) that weren't signed by the software vendor.

With this approach to application whitelisting, Windows determines whether an app is trustworthy and notifies the user if it isn't. Device Guard uses hardware technology and virtualization to isolate that decision making function from the rest of the OS, to protect from attackers or malware that may have gained access to the system, according to Microsoft.

"Hardened, locked down platforms like Microsoft previously delivered with Windows Phone and Windows RT, and Apple delivers with iOS, are a great defense against many types of exploits," said Wes Miller, a Windows analyst with Directions on Microsoft, an independent analysis firm in Kirkland, Wash.

IT pros are optimistic that Device Guard will make the next version of Windows more secure, given the shortcomings of antivirus (AV) software and similar signature-based defenses that systems managers are relegated to, said David Reynolds, systems manager with the Rhode Island Blood Center in Providence and a certified ethical hacker.

However, digital signing can be challenging, so it must be easy to implement and be tied to Active Directory, Reynolds said.

Is Device Guard the answer to malware and APTs?

Microsoft claims Device Guard gives it an advantage over traditional AV and app control technologies such as AppLocker and Bit9, which can be "tampered" by administrators or malware. Microsoft declined to explain how much, or how little, control administrators will have over Device Guard, which concerns IT pros who fear the feature may be a bit too tamper-proof and take flexibility away from IT.

If you had 100 legacy applications you had to pass through this process, it could take significant investment to get [Device Guard] implemented effectively.
Matt KoshtIT manager

"I have seen AV solutions misclassify legitimate processes like remote control software VNC as 'malware' before," said Matt Kosht, an IT manager with an energy company in Michigan. "Flipping on Device Guard and breaking critical enterprise applications would be an issue."

Having tools to digitally sign or otherwise trust unsigned executables helps, but it could also mean a lot of work for enterprise IT, Kosht said.

"If you had 100 legacy applications you had to pass through this process it could take significant investment to get this implemented effectively," he said.

Still, putting security at the core of the OS and hardware to combat APT's is a good move, especially since AV software is "horribly inadequate" at dealing with APT threats, Kosht said. But he's skeptical Device Guard will effectively stop APT's.  

Intel has had the XD (Execute Disable) feature in its processors and Microsoft has had Data Execution Prevention support since Windows XP SP2/Windows Server 2003, he said.

"We all know how ineffective these technologies were with stopping APT's."

Device Guard appears to be an evolution of those approaches, adding virtualization to the technology stack.  It isn't novel, however; other products, such as Bromium vSentry, also offer protection through hardware isolation.

Microsoft was careful not to cut its AV software partners out of the equation, and claims Device Guard won't replace traditional AV and app control technologies. Those can work with Device Guard to help block executable and script based malware and cover areas that Device Guard doesn’t. For example, traditional AV software can detect attacks against interpreted platforms that are exploited with payloads, such as Java, Flash, Office, and Acrobat, Miller said.

So far, OEM's that support Device Guard on their hardware include Lenovo, HP, Acer, Fujitsu and Toshiba.

Windows 10 biometrics requires hardware upgrades

Device Guard follows a biometric authentication tool Microsoft introduced last month called Windows Hello that requires specialized hardware.

With Windows Hello, users can show their face, iris, or touch a finger to gain access to apps and enterprise content without a password or being hooked into a network server.

Facial recognition is the evolution of the logon that's embraced by users such as Reynolds, who enjoy biometric capabilities already available in Xbox. But it is a technology that is in its early phases.

"While sometimes commands have to be repeated in a militant fashion for effectiveness, it will continue to mature as most technologies often do," he said. "Facial recognition has also been plagued by pitfalls such as users having tans, facial hair, and eyewear.  I've also seen many a user wrestle with fingerprint recognition forcing the vast majority of the current user base to rely on the username and password methodology."

Windows Hello requires hardware with a fingerprint readeror other biometric sensors. Fingerprint-based sensors are already on some devices and will work with Hello. Though the facial recognition feature won't be limited to Intel RealSense 3D Camera, that's the technology Microsoft touts.

So far there are three laptops with Intel RealSense: the Dell Inspiron 15 5000 Series Touch (starting at $749.99 on Dell.com), the HP ENVY - 15t Touch RealSense Laptop (starting at $649.99 on HP.com) and the Lenovo B50 Touch (starting at $849.99 on Lenovo.com).

About the author:
Bridget Botelho is senior news director of TechTarget's Data Center and Virtualization and End-User Computing media groups. Follow her on Twitter: @bridgetbotelho.

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

Windows 10 guide for IT administrators

Join the conversation

8 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think of Device Guard and Windows Hello security features?
Cancel
@Matt Heusser - I agree, there will be an adoption lag, perhaps longer than is typical in large companies. @Veretax - Great point about the impact on new/future applications. I'll be sure to ask Microsoft about that. @ncberns The few devices that include biometrics and/or Intel RealSense 3D for facial recognition are priced higher -- some pricing is in the last graph of the article. Whether these technologies are worth their weight in gold depends on who you ask. I'd guess companies will only want to invest in these devices for a small segment of their end users. @Michael Larsen -- the annoyance factor is a big one and will certainly impact end user satisfaction. If the security features impact productivity, or ease of use, there will be major backlash.
Cancel
With companies relying on so much unsigned legacy software and open source software, I have to expect these features will only be used by things like public terminals. So a nice, incremental security advance, but it may be a generation or two (3 to 6 years) before this has any wide adoption.

Then again, generations in OSs keep coming faster, don't they?
Cancel
Its hard to say what these new features will do.  Will they make us safer?  Will they make hardware more expensive? The part about trusted apps, concerns me greatly though.  It sounds to me like a way to elbow newcomers to markets out,  because their software is unknown.  We see it with some Antivirus scanners now.
Cancel
The hardware-software leapfrogging continues. Before implementation, we'll have to explore if the advancements are really worth their cost That hasn't always been the case. And wonder, too, on the criteria for whitelisting apps. If it's a recommendation, fine; if it's a roadblock, not so good....
Cancel
Additional to this discussion is the "annoyance factor". How difficult will it be to work with these systems? What level of hardware enhancement will I need to take advantage of these systems? Will it cause my favorite programs to be unusable?  These are the questions I personally ask before I invest in updates, and is part of the reason I still primarily run Windows 7 on my main hardware PC I will upgrade hardware most likely this year, but with it, I will ask all of these questions.
Cancel
@Matt Heusser - I agree, there will be an adoption lag, perhaps longer than is typical in large companies. @Veretax - Great point about the impact on new/future applications. I'll be sure to ask Microsoft about that. @ncberns The few devices that include biometrics and/or Intel RealSense 3D for facial recognition are priced higher -- some pricing is in the last graph of the article. Whether these technologies are worth their weight in gold depends on who you ask. I'd guess companies will only want to invest in these devices for a small segment of their end users. @Michael Larsen -- the annoyance factor is a big one and will certainly impact end user satisfaction. If the security features impact productivity, or ease of use, there will be major backlash.
Cancel
I agree with Michael on the "annoyance factor". It may very well have to be the price we pay for better security. The reason is the methods we are using just don't cut it. I have seen fingerprint scanners fooled. It may be we do need another for of bio-metrics. This will in the long run drive up the cost of mobile devices. Maybe that was the plan all along..... Now it seem like it's just 2-3 years after your hardware investment, it's obsolete and you have to buy new again..
Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close