Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How to get the most out of Windows 10 enterprise security features

Mary Branscombe | July 31, 2015
The enterprise edition of Windows 10 may be available only a day after the consumer version, with some immediately useful improvements for business. But some of the most important security features in Windows 10 Enterprise will either be included in a major update (that you can think of much like a service pack) that will ship sometime this fall, or will rely on enterprises and online sites and services making some substantial changes to move away from passwords.

BitLocker whole disk encryption is still available only in Windows Pro and Enterprise editions, but even Windows 10 Home systems have the device encryption option from Windows 8.1 (as long as they have suitable hardware).

Other security features in Windows 10 are far more foundational, but they'll require you to make changes in the way you handle identity, authentication and access to get the most from them.

Going beyond the password

Biometrics aren't new to PCs, but the hardware in new PCs makes them faster and more flexible and the new Windows Hello login feature is easy to use. New fingerprint readers are capacitive, as on the iPhone, so users press down their finger rather than swiping across a narrow sensor, and they look at both the 3D structure of the fingerprint the liveness' of the finger. Now that Intel has included an interconnect for attaching biometric sensors on its motherboards, they should start to become more common in devices.

Windows 10 also works with hardware for palm vein prints, iris recognition and 3D facial recognition, using the Intel RealSense camera that's being built into various notebook computers. The feature also accounts for temperature using infrared sensors, so it won't be fooled by photos and masks.

Replacing the standard Windows user password with biometrics protects you against employees who are fooled by phishing attempts, and against releases of usernames and passwords from hacked cloud services where employees have simply reused their work passwords. It doesn't help with the increasingly common horizontal attacks, where attackers who have managed to get malware onto one PC can harvest the access tokens and Kerberos credentials generated when a user logs in to Windows; those may also give them access to email, file shares, SharePoint sites, line of business apps, company databases and other data stores.

These attacks are known as "pass the hash" and "pass the ticket" attacks, depending on which credentials they target, explains Microsoft's Chris Hallum. "Once attackers have that token, they have your identity; it's as good as having your username and password. If they can gain admin privileges they can run a tool to extract the token and take it, and then move around the network and access all these servers without ever being asked for a password."

In Windows 10 Enterprise (and Windows Server 2016), the logon process runs in what Microsoft calls Virtual Secure Mode a secure, virtualized container with no admin privileges and very constrained access, that has only enough capabilities to run the logon service used for authentication brokering. Access tokens and tickets are all stored here, in fully randomized and managed, full-length hashes to avoid brute force attacks. "Even if the Windows kernel is compromised, it doesn't have access to take information out of that container," Hallum says, "so we can isolate one of the most important Windows components."


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.