Last Friday, two interesting and complementary blog posts appeared, each with its own discussion of security in the latest Windows 10 Technical Preview version. The first comes from Microsoft itself, in a post by Jim Alkove for the Windows for Your Business blog, entitled “Windows 10: Security and Identity Protection for the Modern World.” The second occupies a significant portion of Paul Thurrott’s mind-bending Windows SuperSite article entitled “Windows 10 is the Most Audacious Release in the History of the Platform.” This is pretty strong stuff, and will take a little time to work your way through. Hopefully, the summary that follows will give readers the impetus to do just that.
It is too facile to say that Windows 10 locks things up from a security perspective, though it certainly adds and extends protection at many levels.
Source: Shutterstock 210211225.
The MS blog post raises the following issues:
- Windows 10 is intended to “move the world away from the use of single factor authentication options, like passwords.” Once mobile devices are enrolled, they become one of two factors required for authentication, where the second factor could be a PIN or a biometric (e.g. a fingerprint). This lets a user’s smartphone vouch for his PC and requires attackers to compromise two devices to mount a successful attack. MS describes this functionality as allowing a mobile device to “…behave like a remote smartcard and it will offer two factor authentication for both local sign-in and remote access.” It works with existing PKI infrastructures, and with Active Directory, Azure Active Directory, and Microsoft Accounts. MS is also taking steps to protect user access tokens created upon authentication from attack by storing them in a secure Hyper-V based container.
- Windows 10 will build “robust data loss prevention right into the platform itself.” This involves use of strong encryption technologies from BitLocker, Azure Rights Management, and Information Rights Management in MS Office, but adds DLP technology “that separates corporate and personal data and helps protect it using containment…” so that there’s “… no need for … users to switch modes, or apps, in order to protect corporate data, which means that users can help keep data safe without changing their behavior” (emphasis mine). This applies equally to mobile devices running Windows Phone and to other devices (also possibly mobile) running Windows. VPN control options for remote access are also extended and improved, including “app-allow and app-deny lists” as well as controls aimed at “specific ports or IP addresses.”
- “When it comes to online threats, such as malware, we’ll have a range of options to help enterprises protect against common causes of malware infection on PCs.” This includes options for device lock down, mechanisms to allow users to install only trusted apps (though MS provided signing services) that covers “anything that can run on the Windows desktop” for both mobile and desktop devices and PCs.
Thurrott follows up with his own salute to security improvements, including:
- Use of Azure Active Directory (AAD) instead of Microsoft Accounts (MSAs), which “enables corporations to federate their on-prem Active Directory with AAD and continue using the Universal apps platform and other features that required an MSA in a way that respects their internal policies” (emphasis mine).
- Integrate multi-factor authentication more deeply into the platform (ties into the use of mobile devices as what Thurrott labels as “virtual smart cart technology” through use of mobile devices as explained above).
- Information protection is another way of describing data loss prevention (DLP), which Thurrott views as an “evolution of the rights management technologies Micrsofot has been working on for over a decade…”
- Secure remote access, which Thurrott explains as an “evolution of the managed VPN technologies that debuted in Windows 8.1 and Windows Phone 8.1” which he sees as “extend to individual desktops and Universal apps (per-app VPN) and managed via MDM” (Microsoft Device Management) and made “available to all third-party VPN providers.”
The MS post conveys all the key points, but Thurrott is better at estimating their impact on enterprises and organizations that will deploy the new OS sooner or later (probably later, if history is any guide, though these new features may actually provide a real impetus for businesses to speed things up, somewhat). Good stuff!