Learn about Windows 10 Security Features
Windows 10 Enterprise includes a number of features, including application vetting and biometric authentication that have the potential to make Windows 10 the most secure desktop OS for enterprise users. IT professionals should be aware of these important Windows 10 security features.
1. Device Guard
Device Guard is Microsoft’s latest evolution of application vetting to ensure only trusted applications can run on enterprise devices. Applications must be signed with a certificate that is trusted by the enterprise in order to be allowed to execute. Device Guard uses virtualization-based security in Windows 10 Enterprise to isolate the container containing the Code Integrity service. Even if the OS were compromised, the secure container cannot be accessed via administrative privilege to bypass verification of application credentials.
2. Credential Guard
Credential Guard protects login by storing credentials – NTLM hashes and Kerberos tickets – in a virtual container separate from the rest of the OS. Previous versions of Windows stored credentials in the Local Security Authority from which some malware could access and use the credentials. Credential Guard uses Hyper-V and requires a computer capable of booting via UEFI.
3. Secure Boot
Secure Boot is required to enable Device and Credential Guard. Secure Boot machines have a Microsoft certificate stored in UEFI. The UEFI boot process will only load a boot loader that is signed by a matching certificate. If a rogue boot loader is installed on the machine, the boot process will stop. It’s possible to add additional certificates to the UEFI BIOS to enable booting to Linux or other non-Microsoft OSes.
4. Windows Hello
Windows Hello implements biometric authentication to allow access to devices running Windows 10 without a password. Windows Hello requires a device to include biometric hardware such as a fingerprint reader or infrared laser with multiple lenses and a special processing chip to analyze images. Multiple OEM partners develop for Windows Biometric Framework, a technology that uses your face, iris and fingerprint as password alternatives to launching Windows.
5. Windows Passport
After authenticating to the device using Windows Hello, Windows Passport can be used to log into nearly everything else. Windows Passport is a system that provides a more secure way to sign in to websites, networks or applications. Instead of using a shared secret – like a password – Windows 10 can authenticate without sending a password so there is nothing stored on the server that hackers can steal. Windows Passport implements a public key/private key exchange similar to that used to access secure websites.
6. Protect On-Device Data via Azure Rights Management
According to Microsoft, Azure Rights Management “enables automatic encryption of corporate apps, data, email, website content and other sensitive information, as it arrives on the device from corporate network locations. If desired, companies can even designate all new content created on the device as corporate by policy. Additional policies can also enable organizations to prevent data from being copied from corporate content to non-corporate documents or external locations on the web such as social networks.”
7. Secure Intranet Sites via Edge Browser
Microsoft Edge, the newest release of Microsoft’s internet browser technology, has been designed to be the most secure browser released by Microsoft. One way that Edge improves security is by reducing support for extensions that have been used as vectors for malware. Edge will no longer support the extensions VML, VB Script, Toolbars, BHOs or ActiveX.
The Edge browser does not support plug-ins and therefore will not run Java applets. Edge does include Flash player however it is not enabled by default.
8. Windows Update for Business
Windows Update for Business provides additional control compared the consumer Windows Update process. Windows Update for Business gives organizations the ability to specify which devices are updated and when so that business continuity and productivity is not interrupted.
Windows Update for Business provides a ring-based distribution model so companies can decide what PCs get updated in what order. This provides the ability to test updates on a limited basis before rolling out to a wider audience.
Windows Update for Business also provides for maintenance windows allowing business to decide when updates can or should occur to avoid updates interfering with critical processes.
9. Enterprise Data Protection
Enterprise Data Protection can encrypt enterprise data on both employee-owned and corporate-owned devices. EDP can also remotely wipe data from managed computers, including employee-owned computers, without affecting personal data. EDP provides the capability to specify which apps can access enterprise data and block non-privileged apps from corporate data.
EDP protects enterprise data from leakage. If an employee transfers enterprise data to a USB key, the enterprise data remains encrypted and inaccessible outside of the enterprise.
By understanding the basics of Windows 10 Enterprise security features, IT professionals can maintain a secure network.
If you have questions about these Windows 10 security features or just want to learn more about them, ONLC Training Centers can help. Contact us today for more