Skip to main content

A Windows 10 security rundown

Author: Orin Thomas, Microsoft MVP – Office Servers and Services

Windows 10 includes a number of new and existing security technologies. Although no single security technology will protect Windows 10 from every threat in every situation, when you use them all in their appropriate context, you help your organization be more secure than it would be if you were running an older version of the Windows client operating system. As with any security technology, you’ll get the most out of them when you deploy them properly. In this article, I’ll look at some of the old and new security technologies in the Windows client operating system and the types of situations in which you would deploy them.

Device Guard

If you're familiar with Software Restriction Policies or AppLocker, you understand the basic idea behind Device Guard. Like those older technologies, Device Guard allows you to lock down a computer running Windows 10 so that it can only run trusted applications. Device Guard works at a much deeper level of the operating system, by leveraging virtualization based security to isolate the Code Integrity service from the Windows 10 operating system kernel. With Device Guard, there are two Code Integrity Services. The first is run in a container that is separated from the Windows 10 operating system kernel by a hypervisor and protects kernel mode. The second is for user mode and has a strict app control policy that is signed, so it can’t be arbitrarily changed by a local administrator.

Device Guard works on the principle that applications are untrustworthy unless explicitly authorized rather than that applications can execute unless they are explicitly blocked. Although it was possible to configure previous technologies in this manner, Device Guard makes this process simpler. With Device Guard, you configure digital signatures in an enterprise policy to specify which applications are recognized as trustworthy. Device Guard supports traditional Windows applications and Universal Windows Platform (UWP) apps.

Because it is integrated with the operating system at a deeper level, Device Guard has more stringent requirements than previous application restriction policies. For example, Device Guard requires that the computer be running Windows 10 Enterprise edition, have UEFI version 2.3.1 or later firmware, and be configured for Secure Boot. Device Guard also requires that the computer have a 64-bit processor that supports virtualization extensions and Second Level Address Translation (SLAT).

The trick with deploying Device Guard is to have an accurate inventory of all of the applications used in your organization. If you don’t have an accurate inventory, there will be applications that won’t run because they won’t be on the approved list. Device Guard supports using an internal PKI infrastructure for application signing, so if an application in your organization isn’t signed, you can configure a digital signature to allow it to run. Microsoft has an online signing service for signing policies and catalog files that organizations can also use.

Credential Guard

Credential Guard is a Windows 10 technology that creates a special virtualized location to store important secrets such as cached NTLM hashes. Credential Guard protects against a special type of attack that might leverage cached credentials to gain access to remote systems. “Pass the hash” is one such type of attack where credentials extracted from one computer can be used to gain access to another.

Credential Guard should first be implemented on any computer where privileged accounts are used. Credential Guard will be able to protect these computers should they become compromised by malware that attempts to extract credentials. It’s a vitally important technology for computers that are used to perform systems administration tasks. It’s also important for end user computers that may end up storing privileged credentials when a member of the IT department signs on to attempt to solve a problem. Organizations should aim to have all computers using Credential Guard in the long run, but protecting computers that are regularly used to access sensitive resources and servers should be a first priority.

Enterprise data protection

Enterprise data protection (EDP) allows organizations to encrypt business data stored on both organization-owned and employee-owned devices. You can use EDP to control which apps have access to business data and what rights users have to business data (for example, controlling which apps business data can be pasted into). When integrated with Azure Directory Rights Management Services, EDP can also be used to restrict advanced rights such as the ability to print or forward business data through email. EDP allows you to remotely wipe business data of both organization-owned and employee-owned devices without impacting personal data. For example, you could use EDP to wipe all Excel spreadsheets related to an organization’s projects stored on an employee owned device, without removing Excel spreadsheets the employee uses to track their personal finances.

Enterprise data protection is a great solution for organizations that want to implement a Bring Your Own Device (BYOD) policy but are concerned about what happens when an employee (and their devic), decides to leave the organization. In the past, the organization had to come up with some way of removing organizational data from the employee’s device — something that might be problematic if the employee left the organization under less than ideal circumstances. With EDP, the data can be deleted or end up in an inaccessible encrypted state with a few clicks of the mouse.

BitLocker

BitLocker is a security technology that has been around for several versions of the Windows client operating system. This important security technology provides boot environment protection and full disk encryption. When BitLocker was first introduced, few computers had the requisite Trusted Platform Module (TPM) chip to support its functionality. Today computers with TPM chips are common and some computers, like Microsoft’s Surface Pro and Surface Book and Lenovo’s Yoga 900 come with BitLocker enabled by default. Beginning in July 2016, TPM 2.0 chips will be required on all devices that ship with an OEM installation of Windows 10. Because it can protect against a variety of attacks that impact the computer at boot, you should ensure that BitLocker is deployed on computers that administrators use. You should also ensure that it is enabled on any laptop or tablet that stores critical organizational data, though in the long run you should deploy it on all organizational laptops. This way if the device is left in a taxi or in the seat pouch of an airplane, the person that finds it won’t be able to extract any meaningful data by simply mounting the hard disk drive elsewhere.

Windows Defender

Malware is a persistent problem that organizations will likely always have to deal with. Like BitLocker, Windows Defender has been included with previous versions of the Windows Client operating system. Windows Defender in Windows 10 provides built in antimalware functionality, identifying and removing harmful malware before it can impact the computer.

In organizational environments, a solution with central reporting is likely more appropriate than standalone Windows Defender. Microsoft Intune Endpoint Protection and System Center Endpoint Protection are built off of Windows Defender. Intune Endpoint Protection is a good option for BYOD devices and System Center Endpoint protection is a great option for traditional desktop computers. The reporting functionality ensures that the IT department can see which computers have encountered malware as well as verify that everyone’s antimalware definitions are up to date.

Windows Firewall

Although it is something that we take for granted because it has been included with Windows for more than a decade, Windows Firewall is an important component of Windows 10 security. Windows Firewall and Windows Firewall with Advanced Security provide a basic level of protection from incoming unsolicited network traffic, whether the computer is deployed on a protected network, or is connected to an untrusted network, such as a public Wi-Fi access point. It’s important to remember that even the most protected network can have threats and that a good number of remote exploits are mitigated by the presence of a simple packet filter like Windows Firewall.

For organizations that are concerned about unauthorized traffic on their network, Windows Firewall with Advanced Security can be configured with what are termed Connection Security Rules. Connection Security Rules are a type of IPsec policy. When configured with such rules, Windows client computers can request or require that some or all computers that the client communicate authenticate and encrypt those connections. When correctly implemented, computers will only communicate with known authenticated hosts and that communication will be encrypted in such a way that if it is intercepted, the contents of that communication will be indecipherable.

Cumulative updates

One of the big differences between previous client operating system versions and Windows 10 is the approach to operating system and security updates. In Windows 10, updates are cumulative rather than standalone.

In previous versions of the Windows client operating system, each month you were presented with a new collection of updates from Windows Update. You could pick and choose which updates to install. Each month’s updates were different, so if you missed or declined an update, you might have to go back and get it later if you wanted to make sure that your Windows client computer was protected from exploitable vulnerabilities. The problem was that people didn’t always install updates. Over the years, many exploits that had a significant impact targeted vulnerabilities that had been patched months, if not years before.

By switching to a cumulative update model with Windows 10, users just have to ensure that they are up to date once, because each month’s updates include the updates from all previous months. The cumulative update model works hand in hand with Microsoft’s operating system branch strategy. Essentially, an updated version of Windows 10 will be released several times a year. The vast majority of clients will update to this new updated version, which will be the base from which each month’s cumulative updates will be applied. A long term servicing branch option exists for organizations that don’t want updated operating systems on such a frequent basis, but even the long term servicing branch of Windows 10 receives cumulative, rather than individualized, updates.




Orin ThomasOrin Thomas is an MVP and MCT who has a string of Microsoft MCSE and MCITP certifications. He has written more than 30 books for Microsoft Press and is a contributing editor at Windows IT Pro magazine. He currently creates IT pro-related courseware at PluralSight, and has been working in IT since the early 1990s. He regularly speaks at events like TechEd in Australia and around the world on Windows Server, Windows Client, System Center and security topics. Orin founded and runs the Melbourne System Center, Security, and Infrastructure Group. You can follow him on Twitter @orinthomas.