Enhanced authentication and Data Protection
Windows 10 is expected to be released by the end of 2015, which will be Microsoft's first operating system to run on all types of devices, including Windows PCs and mobile devices.
Running a single operating system in an enterprise can bring about direct security advantages, including significantly simplifying device management and reducing the overall attack surface.
In addition, Windows 10 will include new features to enhance authentication and data protection, which will be attractive to enterprises that want to eliminate password usage and protect data in the BYOD era.
In this article, I will discuss three major security improvements for Windows 10, which may allow enterprises to consider upgrading Windows.
Windows 10 multi-factor authentication
Windows 10 is widely acclaimed for its built-in multi-factor authentication. This authentication mechanism is based on the FIDO Alliance's open standards and will eliminate the need for additional security hardware peripherals (such as smart cards and tokens. After registration, the device becomes one of the two factors required for identity authentication. This reduces the feasibility of phishing attacks, because the attacker not only needs the user's PIN or biometric identification information, but also needs physical access to its devices for attack. This can also protect users in case of data leakage in the password database. Attacking the password database is another common practice that attackers can use to obtain unauthorized access.
In Windows 10, the logon credential of a device can be a key pair generated by Windows, or the certificate configured for the device by the internal PKI infrastructure. Active Directory, Azure Active Directory, and Microsoft Accounts all support this new authentication form. After the user passes authentication, his or her access token will be stored in a secure container running Hyper-V technology. This prevents tokens from being extracted using technologies such as pass the hash or pass the ticket. These two technologies allow attackers to simulate users without actually obtaining their logon creden.
Windows 10 Data Loss Protection
Another important feature of Windows 10 enhances the protection of enterprise data. BitLocker has been providing full disk encryption since its first appearance in Windows Vista, but as mobile devices increase in the workplace, this protection is extended after data is removed from the device (Data Loss Protection) it becomes crucial. The Azure permission management service and information permission management in Microsoft Office can provide protection for removing data from devices, but they require users to select to activate this protection. In Windows 10, enterprises can not only define which applications can access enterprise data, it also prevents data replication or access in the absence of correct security configuration files-whether the data is transmitted or on another device. Windows 10 protects data by using containers and separating enterprise data and personal data at the application and file level and automatically encrypting the data when it reaches the device. At the same time, users do not need to switch the mode or use special applications to protect enterprise data, which solves the security-insensitive problem of users.
Application access control
Enterprises need to manage the BYOD environment, which means that secure access to network resources is an important task for many enterprises. Windows 10 allows administrators to specify which applications allow or do not allow access to the enterprise's VPN. Enterprises can also restrict access based on ports and IP addresses. In addition, administrators can configure devices to only allow installation of trusted applications, including applications signed by enterprises, applications from approved software vendors, and applications from Windows Store. The goal is to make it easier for enterprises to lock critical or sensitive devices to protect them against malware infections while providing greater flexibility to other groups of users.
These three key new features reduce reliance on certain third-party products, such as DLP and two-factor authentication, but enterprises still have great flexibility in the security control they use. Windows 10 can be added to most mobile device management products and VPN infrastructure. Windows Server 10 will also include Windows Defender, although most enterprises still want to run specialized anti-virus and anti-malware products on network gateways and key devices.
Windows 10 makes it easier for administrators to deploy security measures and make it easier for employees to use. This should make it very popular in enterprises and attract enterprises still running Windows 7.
Unified deployment and management, as well as general application platforms and Security modes will free up time for system administrators and provide better overall security. For large enterprises, IT personnel can join Windows Insider Program to get the opportunity to experience new security features of Windows 10 before Windows 10 is published, and evaluate its applicability and ease of use. Enterprises should ensure that analysts use test devices for experiments. However, Microsoft has collected a large amount of information from devices running the preview version.