You may love the look and feel of Windows 10 -- and the new stuff like Cortana or the Edge browser. Or like Woody Leonhard you may still be looking for a compelling motive to abandon Windows 7, regardless of fresh additions in the Windows 10 Anniversary Update (Windows Ink, anyone?). Either way, good for you!
But there’s one inarguable, objective reason to upgrade to Windows 10: much stronger security, especially for enterprises.
A year ago Windows 10 introduced a slew of new security features, to which it has added another helping in Windows 10 Anniversary Update. Some of these features benefit all versions of Windows 10, while others come only with the Enterprise (and Education) editions.
Here, I’d like to concentrate on the ironclad enterprise stuff, which derives from an architectural change known as Virtualization-Based Security (VBS). The basic idea is that Hyper-V runs on bare metal, on top of which a virtual machine runs Windows 10 -- and alongside that, in a separate virtual machine, four essential security services:
- Local Security Authority Subsystem Service (LSASS): This is Windows’ basic authentication mechanism, which manages security policies and generates tokens containing user and group information, as well as user-specific security privileges. Breaking out LSASS as a separate VBS service makes it much more difficult to attack -- hence Microsoft’s term for this feature, Credential Guard.
- Virtual Trusted Platform Module: This component handles the generation of cryptographic keys, measurements of system integrity, and other important functions. To work, it requires TPM 2.0 support in hardware. As of July 28, 2016, to qualify as Windows 10 compatible, “all new device models, lines, or series … must implement and enable by default TPM 2.0.”
- Hypervisor-enforced code integrity: This is part of Device Guard, which allows only trusted applications to run. See Fahmida Rashid’s excellent explanation of how Device Guard works.
- Biometric validation and data: With Windows 10 Anniversary Update, the biometric component of Windows Hello moves to the VBS virtual machine as well. This answers a common objection to biometrics -- the risk that biometric hashes can be stolen, too.
Isolating these four services in a separate, secure virtual machine changes the Windows security game. InfoWorld’s Roger Grimes puts it this way: “All hacking and malware won't magically go away, but VBS creates a secure environment where select parts of the operating system are less likely to be modified -- and critical data are less likely to be stolen and reused.”
Realize, though, that VBS is part of a long game. Along with TPM 2.0, to use Device Guard, you need other hardware features generally present only in enterprise computer models, including UEFI with Secure Boot, Second-Level Address Translation, and a virtualization extension such as Intel’s VT-x. I imagine it’s only a matter of time before these features migrate to all computers, but that leaves out a lot of legacy and work-at-home systems.
Moreover, as Fahmida Rashid says: “The hardware isn’t the only barrier to getting started; most organizations will also need to make changes to infrastructure and processes. Many IT teams don’t currently use UEFI or Secure Boot because they impact existing workflows.”
Thus, formidable barriers to adoption exist -- including BYOD programs that place few restrictions on the devices employees use. Are you going to roll back BYOD? Or should you wait a few years until the hardware features proliferate, so outlawing Windows systems that don’t comply will be less painful? Of course, you can establish a subgroup of Windows 10 computers that run Device Guard and Credential Guard, but that doesn’t change the fact that your enterprise is only as secure as its weakest endpoint.
Whatever strategy you choose, Windows still dominates the enterprise, and moving toward Windows 10 with VBS enabled seems like common sense over the long haul. Credential Guard by itself has the potential to virtually wipe out PtH (pass the hash) attacks and make APTs (advanced persistent threats) much less likely.
Sure, there will be bumps in the road, with buggy updates and disruptive changes in business customers' IT processes. But security is in a dreadful state. To be honest, I’m surprised Microsoft hasn’t pushed the notion of “certified secure” Windows 10 computers and mobile devices. Perhaps Redmond is worried about the implications for the vast majority users who will lack such ironclad protection for some time. But hey, every journey needs to start somewhere.