Almost every day I hear from customers or friends who are worried about security threats reported in the media. Increasingly, I find myself saying: “That’s handled by default in Windows 10.”
Windows 10 contains many new security features. Last year, InfoWorld’s Fahmida Rashid provided a great overview in her article, “Why Windows 10 is the most secure Windows ever.” Here, I’ll get down to the nitty-gritty of the most important security features of Windows 10.
You can’t talk about Windows 10 security without discussing a huge, underlying security architecture addition known as virtualization-based security (VBS). VBS uses software- and hardware-enforced mechanisms to create an isolated, hypervisor-restricted, specialized subsystem for storing, securing, transferring, and operating other sensitive subsystems and data.
In a nutshell, VBS makes it very difficult for attackers to mess with core components of the operating system. VBS isn’t merely an improved defense -- it represents an architectural change that vastly reduces the attack surface area and attempts to eliminate the attack vectors themselves. All hacking and malware won't magically go away, but VBS creates a secure environment where select parts of the operating system are less likely to be modified -- and critical data are less likely to be stolen and reused.
A very small, low-level operating system kernel runs in the VBS subsystem. Nothing else unsigned by Microsoft is allowed to be injected or to execute. User and computer authentication secrets are stored there, as well as information that helps protect other areas of the operating system not located in the VBS. Windows’ LSA secrets, which were so badly compromised by malicious hackers and malware over the last decade, are now hardware-protected by VBS.
There have been other Holy Grail security boundaries (often known as “Ring 0”) in the past, which when penetrated, led to rootkits and more bad news. The difference with VBS is that it’s hardware-enforced. In order to get into the protected subsystem, the hacker must find a flaw in the hardware or the hypervisor that isolates VBS and whatever is running within it. Even if a flaw is eventually found, that hole can be closed to prevent almost any possible attack. We are no longer playing a losing game of whack-a-mole at the lowest levels of operating system.
The computers that best take advantage of VBS must contain virtualization-based chips and hardware extensions, including CPU virtualization extensions (such as Intel Virtualization Technology and AMD-V), Input–Output Memory Management Units (such as VT-d or AMD-IOV), and Second Level Address Translation.
Trust Platform Module (TPM) chips make VBS stronger and assist with integrity enforcement in Windows. In my experience, most enterprise-class computers already have a TPM chip, and soon so will 100 percent of devices coming from most major OEMs, including consumer versions.
No doubt about it -- this is coming from a longtime security curmudgeon -- VBS changes the playing field. It’s the start of a new paradigm in OS security.
Worried about rootkits and other low-level malware? In Windows 10, the nasty stuff is much more difficult for hackers to inject, thanks to secure booting.
Windows Vista inaugurated secure booting: It used BitLocker and the TPM chip to protect the boot process. Windows 7 debuted Unified Extensible Firmware Interface (UEFI), which replaced the highly vulnerable traditional BIOS, and Windows 8 incorporated secure boot protections added by the newer UEFI versions. UEFI and Windows work together to ensure that the hardware and lowest levels of the OS aren’t tampered with -- and if tampering occurs, you either get a warning or the unauthorized modification is prevented.
Debuting in Windows 8, a feature called Windows Trusted Boot provides code integrity validation that protects all of the Windows boot functions from tampering and automatically remediates if tampering is detected. In addition, it included early-launch antimalware (ELAM) capability, which ensures your antimalware software starts before the malware itself can launch. In previous versions of Windows, malware could start before AV and tamper with its function. However, you still need to make sure your preferred antimalware software supports ELAM.
Windows Hello is Windows 10’s attempt to get rid of passwords, which are often stolen and reused. Hello supports three methods of biometric authentication (facial, iris, and fingerprint) in concert with a simple PIN.
Many computers and devices shipping today support Hello -- and the devices that detect these biometric identifiers have been tested to ensure they can’t easily be faked by hackers. Microsoft worked with members of the infamous Chaos Computing Club, which has experience in hacking biometric devices, to harden Hello against hacks.
Hello is for local logons only. The stored information never leaves your device, and even if an attacker took it, it would be useless on other devices. Once you're successfully authenticated using Hello, the newer Passport authentication mechanism (see below) can be used.
Microsoft Passport is an advanced single-sign-on solution that has little to do with Microsoft’s Passport option from more than a decade ago. Behind the scenes, Passport supports the open FIDO Alliance and works via public key cryptography, although you don’t need PKI to use it. From a behind-the-scenes technical perspective, it works much like a (virtual) smartcard, but without the need for a separate card or card reader.
If your computer has a TPM chip, the private key of the asymmetric key pair is securely stored there instead of in software. You use Hello or your PIN to authenticate locally, then use Passport to securely authenticate to other network locations. Passport works with your enterprise Active Directory, Azure Active Directory, Microsoft account, or any other participating FIDO identity provider (there will be hundreds).
If you’re worried about pass-the-hash attacks, then implement Windows 10’s Credential Guard. It protects the Windows authentication broker (LSA) and the user’s derived credentials (such as NTLM hash) in the VBS. By isolating the authentication service and protecting the NTLM credential data, VBS effectively prevents network-based PtH attacks.
On the downside, Credential Guard does not protect local credentials (which are located on disk or in the registry), and it doesn’t currently work with Remote Desktop Protocol logons. But if you make sure your local administrative passwords are unique between computers, then the typical password hash attacker will be slowed down, if not stopped, in attempting to take over your network.
Device Guard is a highly secure tool that determines which applications and scripts should be allowed to run on a particular computer. Windows has had a similar feature since Windows XP (Software Restriction Policies), which was improved with AppLocker (available since Windows Vista). But Device Guard uses the hardware power of VBS to protect the integrity of what is and isn’t allowed to run on a Windows computer. Companies and vendors can add their approved software to the lists of applications allowed to run. If used appropriately, it can prevent most maliciousness from occurring.
Microsoft recommends that you use both AppLocker and Device Guard where it makes sense. I can tell you that Device Guard requires far more testing and preparation, and it may even be unusable in some scenarios -- but if employed, it arguably offers the greatest security (and flexibility) you’ll ever get out of an operating system. It can be configured and controlled using group policy, PowerShell, and other Microsoft tools and applications.
Enterprise Data Protection
BitLocker protects your data when a device is lost or stolen, but how do you protect it from users who might accidentally or even intentionally leak data? This is where a brand-new Windows 10 feature comes to play. It’s called Enterprise Data Protection, and it provides persistent file-level encryption and basic rights management to corporate files.
Enterprise Data Protection doesn’t get in the way of the user experience. You can continue to use the apps that you or IT choose to access protected content. Users aren’t required to work with special folders, change modes, or move into secure zones or partitions. Windows acts a broker that gates user and app access to protected data based on policies you define.
Enterprise Data Protection is great at identifying, separating, and protecting corporate data, and in most cases it can do so without the need for app-wrapping, reengineering, or other measures. EDP can be used in combination with Azure Active Directory and Rights Management services to provide secure B-to-B sharing.
There are a ton of tiny changes that make a Windows 10 computer either more secure by default or easier to secure -- for instance, better DMA attack mitigation, EMET-enabled protections, the ability to prevent local accounts from logging on over the network, and more.
Also, don’t forget the security options available in previous version of Windows, including User Account Control, Kerberos Armoring, Smartscreen, TPM Key Attestation, Advanced Auditing Settings, Mandatory Integrity Controls, Virtual Smartcards, and more.
A reason to upgrade
Whether you’re a Windows fanboy or an uber critic, there’s no denying Microsoft has steadily added major security improvements, culminating with Windows 10. If you tack on all the new administrative security model improvements, simply following the defaults and adjusting a few settings can make your Windows environment a lot more secure than it was in the bad old days of Windows XP.