How to maximize the enterprise-level security features of Windows 10

How to maximize the enterprise-level security features of Windows 10

Windows Defender provides basic protection capabilities, but you still need to download other third-party anti-malicious software packages-free or paid-as an alternative.

Although the regression of the Start menu and the design philosophy of focusing on the desktop environment have won praise from enterprise customers for Windows 10, however, security improvement is the strategic reason to attract them to upgrade. However, it should be emphasized that some key features may not be officially released until this fall.

Windows 10 Enterprise Edition is available quickly one day after its consumption version is released. It naturally provides multiple practical improvements that can be made to enterprise customers. However, in Windows 10 Enterprise Edition, a variety of extremely important security features are either included in major future updates (we can understand it as a service package, that is, the SP we are familiar) -- it may be officially released this fall, or it will rely on enterprises and online sites and services to achieve a series of substantial security changes-such as eliminating outdated password mechanisms. In other words, with the launch of these important upgrades, we need to develop a corresponding plan to maximize the security advantages of Windows 10.

However, at present, IT administrators can still enjoy a large number of immediate security improvements, especially when users under their jurisdiction include Windows 10 devices into their daily work. In addition, some of them only need simple policy adjustments to play a role.

For example, most consumer PC devices need to use anti-malware to guarantee security. When the subscription expires, if the user does not renew the subscription in time (Microsoft said, about 10% of consumption-level PC devices will see this situation), so Windows Defender will be automatically enabled after the preset time. The current preset time is three days, because anti-virus software vendors do not want Windows Defender to be enabled immediately after the product expires, however, this mechanism can help enterprises achieve better security when employees access the business environment through household systems outside of supervision.

It should also be pointed out that Windows Defender also has a set of offline versions built in the Windows Recovery environment. Its role is to continue to protect itself from malware when fixing the system.

Microsoft's new Edge Browser improves security in multiple aspects, from running in the application container sandbox to removing ActiveX controls, VCScript, toolbar, and Browser Helper Object. Although this makes browsing operations more secure as a whole, it also requires you to make certain adjustments to your business applications (or in most cases, configure the employee's PC device to continue using IE to access the corresponding site ). In addition, despite the introduction of a large number of modern Web standards and the improvement of browsing speed, Edge is obviously in the development stage, and is expected to usher in a major feature update later this year.

If you directly upgrade from Windows 7 or other earlier versions to Windows 10, some of the security features inherited from Windows 8 may be the same for you for the first time. For example, the trusted start of malware protection will first load anti-virus software and then load other software at startup, allowing us to choose to run operating system components that are digitally labeled as non-malicious code, at the same time, the verified system security START process can be stored in the Trusted Platform Module (TPM), so that you can check before allowing devices to access critical systems, especially when TPM is used as a virtual smart card.

BitLocker full-disk encryption is still only applicable to Windows Professional Edition and Enterprise Edition, however, the most basic Windows 10 Family edition system also has the device encryption options provided when Windows 8.1 is released (as long as appropriate hardware is available ).

Other security functions in Windows 10 are more basic, but they still require users to change their identity information, authentication and access methods to maximize their preset functions.

Surpassing traditional passwords

Biometrics is no longer a new thing for PC devices, but hardware on the new PC makes this feature faster and more flexible, the new Windows Hello login feature is also very easy to use. The new fingerprint scanner uses capacitive technology, just like the iPhone touch screen, therefore, users can put their fingers directly without having to slide repeatedly on a narrow sensor as they used to-so that the system can simultaneously complete 3D fingerprint structure verification and finger "active" checks. Now, Intel has introduced biometric sensors in its own main board products. We believe they will contribute to security protection on more devices in the future.

Windows 10 also works smoothly with technical solutions such as palm vein printing, iris recognition, and 3D face recognition, using the Intel RealSense camera currently available on many laptops. This feature can also detect the user's temperature using an infrared sensor, so it is not fooled by small tricks such as photos or masks.

With the gradual replacement of the standard Windows user password by biometric identification technology, we can now more effectively prevent employees from being fooled by phishing activities, at the same time, it avoids the risk of username and password content leakage caused by repeated use of work passwords in cloud services. However, it is not enough to deal with the increasing number of common attacks, because attackers have been able to control malware on a single PC device, in this way, you can collect the access token and Kerberos certificate when logging on to Windows. With this information, attackers can access internal emails, shared files, SharePoint sites, business applications, enterprise databases, and other data storage contents.

These attacks are often referred to as "hash Avoidance" and "ticket Avoidance" attacks, depending on the certificate category pointed to by the attacker, Microsoft's Chris Hallum explained. "Once an attacker obtains this token, it is equivalent to having his own identity in the enterprise environment. The actual effect is the same as obtaining the employee's username and password. If they can get administrator privileges, they can run tools to extract token information, and then walk in the network and access any server without entering a password ."

In Windows 10 Enterprise Edition (and Windows Server 2016), the login process runs in Microsoft's so-called virtual security mode-this is a secure virtual container, no administrator permission is provided and access activities are strictly restricted. Users can only obtain the corresponding functions provided by the login service verification. Both the access token and ticket are stored here and exist in full-length hashes in full randomization and managed forms, eliminating the possibility of brute-force cracking attacks. "Even if the Windows kernel is broken by attackers, it cannot access token information outside the container," Hallum said. "In this way, we can isolate one of the most important Windows Components ."

However, to use this Credential Guard mechanism to protect enterprise certificates, you not only need to run Windows Enterprise Edition on PC devices with hardware virtualization and TPM technology, you also need to migrate the domain controller to Windows Server 2016.

Replace Password

You also need to make plans in advance to use Windows Passport, that is, the next generation certificate that just emerged in Windows 10 that is compatible with the fast identification network (FIDO) technology. You can use these distributed certificates to verify the existing public key infrastructure or key pairs generated by Windows, and they are stored securely in TPM, it can be unlocked through biometric identification or PIN (or image password. Each device can be registered using a smart card or a one-time password, so the PC itself becomes an auxiliary factor in verification. Of course, you can also use Bluetooth devices or Wi-Fi connected mobile phones to verify multiple other devices for users.

You can set the length and complexity of the PIN code in the Management Policy (up to 20 characters, including uppercase and lowercase letters, symbols, spaces, and numbers ), set independent PIN codes for different enterprise certificates. In this way, we can clear this part of information without affecting other users.

In the long run, many websites and online services will also adopt FIDO compatible certificates, but we can first introduce Passport into our own business line applications and services as a preliminary attempt. It works smoothly with a variety of well-designed applications, Hallum says, "Every application should be able to take advantage of this unless you do not plan to follow the best practices, for example, an application forces a user to enter his/her username and password, instead of using the password provided by Windows." However, you need to emphasize that you need to have Windows 2016 and Azure Active Directory-or some updates to your own Active Directory infrastructure-to implement this protection function.

If you choose to use Azure Active Directory, you can use it to configure the built-in mobile device management (MDM) client in Windows 10, in this way, employees can use PC devices to provide single-point logon for domain resources and various cloud services. Microsoft Intune is the first MDM service capable of managing Windows 10 devices, however, Microsoft is currently actively promoting support for Windows 10 from other MDM vendors, which will allow users to set access control policies based on multiple factors, including where the user logs on, whether the device is running well and whether the user is compliant, how the application is sensitive, and how to set access restrictions for common user roles and group settings.

If you want to further control the applications or services that can run on the Device, you need to use a PC product with the new Device Guard option. This requires that the BIOS and UEFI be locked by the OEM. In this case, we need to purchase hardware that meets the relevant requirements, but at the same time we have the ability to limit what software it can run. These include applications from Windows Store-desktop and general-purpose applications, applications from specific software vendors, and self-developed applications uploaded to Windows Store-of course, you can also connect to Microsoft to set a local certificate. As long as these signature certificates are strictly protected by enterprises and software vendors, the entire system is sufficient to completely block malware from critical devices.

Each file has its own container environment.

Later this year, Microsoft will bring another key security option for Windows 10: Enterprise Data Protection (EDP ). This feature uses a container solution that is commonly used on smartphones to protect corporate files. It uses management policies to automatically store business content in encrypted locations without requiring manual encryption of each file. However, unlike most smart phone container systems, each file in Windows 10 has its own container environment, while Windows plays the role of access proxy.

"Windows 10 can differentiate business and personal data based on specific data sources," Hallum pointed out. "You can set the location on the network and specify the corresponding data as the business type. For example, this is a business mail server and these are business file servers, all use the IP address range provided by the DNS address. When the content from these locations is received, the network will identify its source and we will be able to encrypt it at the file level in advance ." For files generated by devices, you can use the management policy to specify which applications belong to individuals and business categories, and automatically encrypt files from business applications.

This is a cross-platform solution, so files can be opened on OS X, iOS, and Android platforms. Office files are also easy to use. We can use Office 2016 to open them-including free Office Mobile applications provided by Windows 10, but you need to order commercial services for business purposes. Currently, only the Mac version of Office 2016 provides a preview version. Therefore, the Windows 10 container solution is likely to be available along with the launch of the Windows version of Office 2016. Microsoft Intune is currently the only MDM service that can manage Office applications. However, you can use various MDM services or System Center Configuration managers to configure keys and management policies, in this way, enterprise data protection containers can be managed.

With the emergence of more security technologies in Windows 10, we need to develop a series of policies and investment to maximize their value. However, the security level provided by Windows 10 and Windows Server 2016 can effectively protect certificates and application files, which have never been seen in the Windows ecosystem before.

Original article title: How to get the most out of Windows 10 enterprise security features